Edit tour

Windows Analysis Report
s0VxndYXq0

Overview

General Information

Sample Name:	s0VxndYXq0 (renamed file extension from none to exe)
Analysis ID:	679299
MD5:	de9784a4f56eaf8affc96754a15a5cd3
SHA1:	35c361a8bfdb894e80fe99728e60ad7d08745af1
SHA256:	f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da
Tags:	exe
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Remcos RAT

Antivirus / Scanner detection for submitted sample

Detected Remcos RAT

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Uses ping.exe to check the status of other devices and networks

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Uses ping.exe to sleep

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

s0VxndYXq0.exe (PID: 2732 cmdline: "C:\Users\user\Desktop\s0VxndYXq0.exe" MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

s0VxndYXq0.exe (PID: 3264 cmdline: C:\Users\user\Desktop\s0VxndYXq0.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

cmd.exe (PID: 3704 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5088 cmdline: PING 127.0.0.1 -n 2 MD5: 70C24A306F768936563ABDADB9CA9108)

remcos.exe (PID: 3908 cmdline: "C:\Users\user\remcos\remcos.exe" MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 1924 cmdline: C:\Users\user\remcos\remcos.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 5456 cmdline: C:\Users\user\remcos\remcos.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 3572 cmdline: C:\Users\user\remcos\remcos.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 5540 cmdline: "C:\Users\user\remcos\remcos.exe" MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 5580 cmdline: C:\Users\user\remcos\remcos.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 4776 cmdline: "C:\Users\user\remcos\remcos.exe" MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 5832 cmdline: C:\Users\user\remcos\remcos.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "79.134.225.97:8600:123456|", "Assigned name": "Host", "Connect interval": "5", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "User Profile", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_totevzugmgbhhbj", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
s0VxndYXq0.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\remcos\remcos.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x1afb8:$remcos: Remcos 0x1b82c:$remcos: Remcos 0x1b864:$url: Breaking-Security.Net 0x20086:$resource: SETTINGS
00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x72b64:$remcos: Remcos 0x733d8:$remcos: Remcos 0x73410:$url: Breaking-Security.Net 0x77c32:$resource: SETTINGS
00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x2c434:$remcos: Remcos 0x2cca8:$remcos: Remcos 0x43454:$remcos: Remcos 0x43cc8:$remcos: Remcos 0x2cce0:$url: Breaking-Security.Net 0x43d00:$url: Breaking-Security.Net 0x314ea:$resource: SETTINGS 0x4850a:$resource: SETTINGS
0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x6f020:$remcos: Remcos 0x6f894:$remcos: Remcos 0x6f8cc:$url: Breaking-Security.Net 0x740ee:$resource: SETTINGS
00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: s0VxndYXq0.exe PID: 2732	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: s0VxndYXq0.exe PID: 2732	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: s0VxndYXq0.exe PID: 3264	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: remcos.exe PID: 3908	webshell_jsp_generic_base64	Generic JSP webshell with base64 encoded payload	Arnim Rupp	0x12925:$one1: SdW50aW1l 0x13d99:$one1: SdW50aW1l 0x14443:$one1: SdW50aW1l 0x217b2:$one1: SdW50aW1l 0x21e5b:$one1: SdW50aW1l 0x2550f:$one1: SdW50aW1l 0x25bb7:$one1: SdW50aW1l 0x2926b:$one1: SdW50aW1l 0x29913:$one1: SdW50aW1l 0x12ac6:$one3: UnVudGltZ 0x13f3a:$one3: UnVudGltZ 0x21953:$one3: UnVudGltZ 0x256b0:$one3: UnVudGltZ 0x2940c:$one3: UnVudGltZ 0x44ed:$two2: V4ZW 0x6c25:$cjsp_short2: %> 0x6f86:$cjsp_short2: %> 0x46540:$cjsp_long7: < %
Process Memory Space: remcos.exe PID: 3908	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: remcos.exe PID: 3908	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: remcos.exe PID: 5540	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: remcos.exe PID: 3572	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: remcos.exe PID: 5580	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.s0VxndYXq0.exe.452e400.8.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.452e400.8.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x10738:$s1: \Classes\mscfile\shell\open\command 0x10720:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.452e400.8.unpack	Remcos_1	Remcos Payload	kevoreilly	0x11034:$name: Remcos 0x118a8:$name: Remcos 0x118fb:$name: REMCOS 0x10688:$time: %02i:%02i:%02i:%03i 0x11320:$time: %02i:%02i:%02i:%03i 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.452e400.8.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x11034:$remcos: Remcos 0x118a8:$remcos: Remcos 0x118e0:$url: Breaking-Security.Net 0x160ea:$resource: SETTINGS
0.2.s0VxndYXq0.exe.452e400.8.unpack	REMCOS_RAT_variants	unknown	unknown	0x114dc:$funcs1: autogetofflinelogs 0x114c0:$funcs2: clearlogins 0x114f0:$funcs3: getofflinelogs 0x11578:$funcs4: execcom 0x114cc:$funcs5: deletekeylog 0x11798:$funcs6: remscriptexecd 0x115bc:$funcs7: getwindows 0x10da0:$funcs8: fundlldata 0x10d78:$funcs9: getfunlib 0x107ec:$funcs10: autofflinelogs 0x113b8:$funcs11: getclipboard 0x114b4:$funcs12: getscrslist 0x107e0:$funcs13: offlinelogs 0x105c8:$funcs14: getcamsingleframe 0x116e4:$funcs15: listfiles 0x115e0:$funcs16: getproclist 0x10828:$funcs17: onlinelogs 0x11700:$funcs18: getdrives 0x11784:$funcs19: remscriptsuccess 0x10600:$funcs20: getcamframe 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.4545420.9.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.4545420.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x10738:$s1: \Classes\mscfile\shell\open\command 0x10720:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.4545420.9.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x11034:$name: Remcos 0x118a8:$name: Remcos 0x118fb:$name: REMCOS 0x10688:$time: %02i:%02i:%02i:%03i 0x11320:$time: %02i:%02i:%02i:%03i 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.4545420.9.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x11034:$remcos: Remcos 0x118a8:$remcos: Remcos 0x118e0:$url: Breaking-Security.Net 0x160ea:$resource: SETTINGS
0.2.s0VxndYXq0.exe.4545420.9.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x114dc:$funcs1: autogetofflinelogs 0x114c0:$funcs2: clearlogins 0x114f0:$funcs3: getofflinelogs 0x11578:$funcs4: execcom 0x114cc:$funcs5: deletekeylog 0x11798:$funcs6: remscriptexecd 0x115bc:$funcs7: getwindows 0x10da0:$funcs8: fundlldata 0x10d78:$funcs9: getfunlib 0x107ec:$funcs10: autofflinelogs 0x113b8:$funcs11: getclipboard 0x114b4:$funcs12: getscrslist 0x107e0:$funcs13: offlinelogs 0x105c8:$funcs14: getcamsingleframe 0x116e4:$funcs15: listfiles 0x115e0:$funcs16: getproclist 0x10828:$funcs17: onlinelogs 0x11700:$funcs18: getdrives 0x11784:$funcs19: remscriptsuccess 0x10600:$funcs20: getcamframe 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x2de9c:$s1: \Classes\mscfile\shell\open\command 0x2de84:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x2e798:$name: Remcos 0x2f00c:$name: Remcos 0x2f05f:$name: REMCOS 0x2ddec:$time: %02i:%02i:%02i:%03i 0x2ea84:$time: %02i:%02i:%02i:%03i 0x1fbb8:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x2e798:$remcos: Remcos 0x2f00c:$remcos: Remcos 0x2f044:$url: Breaking-Security.Net 0x33866:$resource: SETTINGS
0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x2ec40:$funcs1: autogetofflinelogs 0x2ec24:$funcs2: clearlogins 0x2ec54:$funcs3: getofflinelogs 0x2ecdc:$funcs4: execcom 0x2ec30:$funcs5: deletekeylog 0x2eefc:$funcs6: remscriptexecd 0x2ed20:$funcs7: getwindows 0x2e504:$funcs8: fundlldata 0x2e4dc:$funcs9: getfunlib 0x2df50:$funcs10: autofflinelogs 0x2eb1c:$funcs11: getclipboard 0x2ec18:$funcs12: getscrslist 0x2df44:$funcs13: offlinelogs 0x2dd2c:$funcs14: getcamsingleframe 0x2ee48:$funcs15: listfiles 0x2ed44:$funcs16: getproclist 0x2df8c:$funcs17: onlinelogs 0x2ee64:$funcs18: getdrives 0x2eee8:$funcs19: remscriptsuccess 0x2dd64:$funcs20: getcamframe 0x2e8c0:$str_a1: C:\Windows\System32\cmd.exe
9.2.remcos.exe.2bab5e4.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.remcos.exe.2bab5e4.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x3dc84:$s1: \Classes\mscfile\shell\open\command 0x3dc6c:$s2: eventvwr.exe
9.2.remcos.exe.2bab5e4.3.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x3e580:$name: Remcos 0x3edf4:$name: Remcos 0x3ee47:$name: REMCOS 0x3dbd4:$time: %02i:%02i:%02i:%03i 0x3e86c:$time: %02i:%02i:%02i:%03i 0x2f9a0:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
9.2.remcos.exe.2bab5e4.3.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x3e580:$remcos: Remcos 0x3edf4:$remcos: Remcos 0x3ee2c:$url: Breaking-Security.Net 0x4364e:$resource: SETTINGS
9.2.remcos.exe.2bab5e4.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x3ea28:$funcs1: autogetofflinelogs 0x3ea0c:$funcs2: clearlogins 0x3ea3c:$funcs3: getofflinelogs 0x3eac4:$funcs4: execcom 0x3ea18:$funcs5: deletekeylog 0x3ece4:$funcs6: remscriptexecd 0x3eb08:$funcs7: getwindows 0x3e2ec:$funcs8: fundlldata 0x3e2c4:$funcs9: getfunlib 0x3dd38:$funcs10: autofflinelogs 0x3e904:$funcs11: getclipboard 0x3ea00:$funcs12: getscrslist 0x3dd2c:$funcs13: offlinelogs 0x3db14:$funcs14: getcamsingleframe 0x3ec30:$funcs15: listfiles 0x3eb2c:$funcs16: getproclist 0x3dd74:$funcs17: onlinelogs 0x3ec4c:$funcs18: getdrives 0x3ecd0:$funcs19: remscriptsuccess 0x3db4c:$funcs20: getcamframe 0x3e6a8:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x43574:$s1: \Classes\mscfile\shell\open\command 0x4355c:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x43e70:$name: Remcos 0x446e4:$name: Remcos 0x44737:$name: REMCOS 0x434c4:$time: %02i:%02i:%02i:%03i 0x4415c:$time: %02i:%02i:%02i:%03i 0x35290:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x43e70:$remcos: Remcos 0x446e4:$remcos: Remcos 0x4471c:$url: Breaking-Security.Net 0x48f3e:$resource: SETTINGS
0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x44318:$funcs1: autogetofflinelogs 0x442fc:$funcs2: clearlogins 0x4432c:$funcs3: getofflinelogs 0x443b4:$funcs4: execcom 0x44308:$funcs5: deletekeylog 0x445d4:$funcs6: remscriptexecd 0x443f8:$funcs7: getwindows 0x43bdc:$funcs8: fundlldata 0x43bb4:$funcs9: getfunlib 0x43628:$funcs10: autofflinelogs 0x441f4:$funcs11: getclipboard 0x442f0:$funcs12: getscrslist 0x4361c:$funcs13: offlinelogs 0x43404:$funcs14: getcamsingleframe 0x44520:$funcs15: listfiles 0x4441c:$funcs16: getproclist 0x43664:$funcs17: onlinelogs 0x4453c:$funcs18: getdrives 0x445c0:$funcs19: remscriptsuccess 0x4343c:$funcs20: getcamframe 0x43f98:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x3a0e8:$s1: \Classes\mscfile\shell\open\command 0x3a0d0:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x3a9e4:$name: Remcos 0x3b258:$name: Remcos 0x3b2ab:$name: REMCOS 0x3a038:$time: %02i:%02i:%02i:%03i 0x3acd0:$time: %02i:%02i:%02i:%03i 0x2be04:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x3a9e4:$remcos: Remcos 0x3b258:$remcos: Remcos 0x3b290:$url: Breaking-Security.Net 0x3fab2:$resource: SETTINGS
0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x3ae8c:$funcs1: autogetofflinelogs 0x3ae70:$funcs2: clearlogins 0x3aea0:$funcs3: getofflinelogs 0x3af28:$funcs4: execcom 0x3ae7c:$funcs5: deletekeylog 0x3b148:$funcs6: remscriptexecd 0x3af6c:$funcs7: getwindows 0x3a750:$funcs8: fundlldata 0x3a728:$funcs9: getfunlib 0x3a19c:$funcs10: autofflinelogs 0x3ad68:$funcs11: getclipboard 0x3ae64:$funcs12: getscrslist 0x3a190:$funcs13: offlinelogs 0x39f78:$funcs14: getcamsingleframe 0x3b094:$funcs15: listfiles 0x3af90:$funcs16: getproclist 0x3a1d8:$funcs17: onlinelogs 0x3b0b0:$funcs18: getdrives 0x3b134:$funcs19: remscriptsuccess 0x39fb0:$funcs20: getcamframe 0x3ab0c:$str_a1: C:\Windows\System32\cmd.exe
9.2.remcos.exe.2bb7830.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.remcos.exe.2bb7830.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x31a38:$s1: \Classes\mscfile\shell\open\command 0x31a20:$s2: eventvwr.exe
9.2.remcos.exe.2bb7830.2.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x32334:$name: Remcos 0x32ba8:$name: Remcos 0x32bfb:$name: REMCOS 0x31988:$time: %02i:%02i:%02i:%03i 0x32620:$time: %02i:%02i:%02i:%03i 0x23754:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
9.2.remcos.exe.2bb7830.2.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x32334:$remcos: Remcos 0x32ba8:$remcos: Remcos 0x32be0:$url: Breaking-Security.Net 0x37402:$resource: SETTINGS
9.2.remcos.exe.2bb7830.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x327dc:$funcs1: autogetofflinelogs 0x327c0:$funcs2: clearlogins 0x327f0:$funcs3: getofflinelogs 0x32878:$funcs4: execcom 0x327cc:$funcs5: deletekeylog 0x32a98:$funcs6: remscriptexecd 0x328bc:$funcs7: getwindows 0x320a0:$funcs8: fundlldata 0x32078:$funcs9: getfunlib 0x31aec:$funcs10: autofflinelogs 0x326b8:$funcs11: getclipboard 0x327b4:$funcs12: getscrslist 0x31ae0:$funcs13: offlinelogs 0x318c8:$funcs14: getcamsingleframe 0x329e4:$funcs15: listfiles 0x328e0:$funcs16: getproclist 0x31b28:$funcs17: onlinelogs 0x32a00:$funcs18: getdrives 0x32a84:$funcs19: remscriptsuccess 0x31900:$funcs20: getcamframe 0x3245c:$str_a1: C:\Windows\System32\cmd.exe
5.0.s0VxndYXq0.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.0.s0VxndYXq0.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x10738:$s1: \Classes\mscfile\shell\open\command 0x10720:$s2: eventvwr.exe
5.0.s0VxndYXq0.exe.400000.0.unpack	Remcos_1	Remcos Payload	kevoreilly	0x11034:$name: Remcos 0x118a8:$name: Remcos 0x118fb:$name: REMCOS 0x10688:$time: %02i:%02i:%02i:%03i 0x11320:$time: %02i:%02i:%02i:%03i 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
5.0.s0VxndYXq0.exe.400000.0.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x11034:$remcos: Remcos 0x118a8:$remcos: Remcos 0x118e0:$url: Breaking-Security.Net 0x160ea:$resource: SETTINGS
5.0.s0VxndYXq0.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x114dc:$funcs1: autogetofflinelogs 0x114c0:$funcs2: clearlogins 0x114f0:$funcs3: getofflinelogs 0x11578:$funcs4: execcom 0x114cc:$funcs5: deletekeylog 0x11798:$funcs6: remscriptexecd 0x115bc:$funcs7: getwindows 0x10da0:$funcs8: fundlldata 0x10d78:$funcs9: getfunlib 0x107ec:$funcs10: autofflinelogs 0x113b8:$funcs11: getclipboard 0x114b4:$funcs12: getscrslist 0x107e0:$funcs13: offlinelogs 0x105c8:$funcs14: getcamsingleframe 0x116e4:$funcs15: listfiles 0x115e0:$funcs16: getproclist 0x10828:$funcs17: onlinelogs 0x11700:$funcs18: getdrives 0x11784:$funcs19: remscriptsuccess 0x10600:$funcs20: getcamframe 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.452e400.8.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.452e400.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x10738:$s1: \Classes\mscfile\shell\open\command 0x27758:$s1: \Classes\mscfile\shell\open\command 0x10720:$s2: eventvwr.exe 0x27740:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.452e400.8.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x11034:$name: Remcos 0x118a8:$name: Remcos 0x118fb:$name: REMCOS 0x28054:$name: Remcos 0x288c8:$name: Remcos 0x2891b:$name: REMCOS 0x10688:$time: %02i:%02i:%02i:%03i 0x11320:$time: %02i:%02i:%02i:%03i 0x276a8:$time: %02i:%02i:%02i:%03i 0x28340:$time: %02i:%02i:%02i:%03i 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72 0x19a1c:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.452e400.8.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x11034:$remcos: Remcos 0x118a8:$remcos: Remcos 0x28054:$remcos: Remcos 0x288c8:$remcos: Remcos 0x118e0:$url: Breaking-Security.Net 0x28900:$url: Breaking-Security.Net 0x160ea:$resource: SETTINGS 0x2d10a:$resource: SETTINGS
0.2.s0VxndYXq0.exe.452e400.8.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x114dc:$funcs1: autogetofflinelogs 0x284fc:$funcs1: autogetofflinelogs 0x114c0:$funcs2: clearlogins 0x284e0:$funcs2: clearlogins 0x114f0:$funcs3: getofflinelogs 0x28510:$funcs3: getofflinelogs 0x11578:$funcs4: execcom 0x28598:$funcs4: execcom 0x114cc:$funcs5: deletekeylog 0x284ec:$funcs5: deletekeylog 0x11798:$funcs6: remscriptexecd 0x287b8:$funcs6: remscriptexecd 0x115bc:$funcs7: getwindows 0x285dc:$funcs7: getwindows 0x10da0:$funcs8: fundlldata 0x27dc0:$funcs8: fundlldata 0x10d78:$funcs9: getfunlib 0x27d98:$funcs9: getfunlib 0x107ec:$funcs10: autofflinelogs 0x2780c:$funcs10: autofflinelogs 0x113b8:$funcs11: getclipboard
0.2.s0VxndYXq0.exe.4545420.9.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.4545420.9.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x10738:$s1: \Classes\mscfile\shell\open\command 0x10720:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.4545420.9.unpack	Remcos_1	Remcos Payload	kevoreilly	0x11034:$name: Remcos 0x118a8:$name: Remcos 0x118fb:$name: REMCOS 0x10688:$time: %02i:%02i:%02i:%03i 0x11320:$time: %02i:%02i:%02i:%03i 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.4545420.9.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x11034:$remcos: Remcos 0x118a8:$remcos: Remcos 0x118e0:$url: Breaking-Security.Net 0x160ea:$resource: SETTINGS
0.2.s0VxndYXq0.exe.4545420.9.unpack	REMCOS_RAT_variants	unknown	unknown	0x114dc:$funcs1: autogetofflinelogs 0x114c0:$funcs2: clearlogins 0x114f0:$funcs3: getofflinelogs 0x11578:$funcs4: execcom 0x114cc:$funcs5: deletekeylog 0x11798:$funcs6: remscriptexecd 0x115bc:$funcs7: getwindows 0x10da0:$funcs8: fundlldata 0x10d78:$funcs9: getfunlib 0x107ec:$funcs10: autofflinelogs 0x113b8:$funcs11: getclipboard 0x114b4:$funcs12: getscrslist 0x107e0:$funcs13: offlinelogs 0x105c8:$funcs14: getcamsingleframe 0x116e4:$funcs15: listfiles 0x115e0:$funcs16: getproclist 0x10828:$funcs17: onlinelogs 0x11700:$funcs18: getdrives 0x11784:$funcs19: remscriptsuccess 0x10600:$funcs20: getcamframe 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
9.2.remcos.exe.2ba2158.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.remcos.exe.2ba2158.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x47110:$s1: \Classes\mscfile\shell\open\command 0x470f8:$s2: eventvwr.exe
9.2.remcos.exe.2ba2158.1.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x47a0c:$name: Remcos 0x48280:$name: Remcos 0x482d3:$name: REMCOS 0x47060:$time: %02i:%02i:%02i:%03i 0x47cf8:$time: %02i:%02i:%02i:%03i 0x38e2c:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
9.2.remcos.exe.2ba2158.1.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x47a0c:$remcos: Remcos 0x48280:$remcos: Remcos 0x482b8:$url: Breaking-Security.Net 0x4cada:$resource: SETTINGS
9.2.remcos.exe.2ba2158.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x47eb4:$funcs1: autogetofflinelogs 0x47e98:$funcs2: clearlogins 0x47ec8:$funcs3: getofflinelogs 0x47f50:$funcs4: execcom 0x47ea4:$funcs5: deletekeylog 0x48170:$funcs6: remscriptexecd 0x47f94:$funcs7: getwindows 0x47778:$funcs8: fundlldata 0x47750:$funcs9: getfunlib 0x471c4:$funcs10: autofflinelogs 0x47d90:$funcs11: getclipboard 0x47e8c:$funcs12: getscrslist 0x471b8:$funcs13: offlinelogs 0x46fa0:$funcs14: getcamsingleframe 0x480bc:$funcs15: listfiles 0x47fb8:$funcs16: getproclist 0x47200:$funcs17: onlinelogs 0x480d8:$funcs18: getdrives 0x4815c:$funcs19: remscriptsuccess 0x46fd8:$funcs20: getcamframe 0x47b34:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x2b958:$s1: \Classes\mscfile\shell\open\command 0x42978:$s1: \Classes\mscfile\shell\open\command 0x2b940:$s2: eventvwr.exe 0x42960:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x2c254:$name: Remcos 0x2cac8:$name: Remcos 0x2cb1b:$name: REMCOS 0x43274:$name: Remcos 0x43ae8:$name: Remcos 0x43b3b:$name: REMCOS 0x2b8a8:$time: %02i:%02i:%02i:%03i 0x2c540:$time: %02i:%02i:%02i:%03i 0x428c8:$time: %02i:%02i:%02i:%03i 0x43560:$time: %02i:%02i:%02i:%03i 0x1dc1c:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72 0x34c3c:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x2c254:$remcos: Remcos 0x2cac8:$remcos: Remcos 0x43274:$remcos: Remcos 0x43ae8:$remcos: Remcos 0x2cb00:$url: Breaking-Security.Net 0x43b20:$url: Breaking-Security.Net 0x3130a:$resource: SETTINGS 0x4832a:$resource: SETTINGS
0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x2c6fc:$funcs1: autogetofflinelogs 0x4371c:$funcs1: autogetofflinelogs 0x2c6e0:$funcs2: clearlogins 0x43700:$funcs2: clearlogins 0x2c710:$funcs3: getofflinelogs 0x43730:$funcs3: getofflinelogs 0x2c798:$funcs4: execcom 0x437b8:$funcs4: execcom 0x2c6ec:$funcs5: deletekeylog 0x4370c:$funcs5: deletekeylog 0x2c9b8:$funcs6: remscriptexecd 0x439d8:$funcs6: remscriptexecd 0x2c7dc:$funcs7: getwindows 0x437fc:$funcs7: getwindows 0x2bfc0:$funcs8: fundlldata 0x42fe0:$funcs8: fundlldata 0x2bf98:$funcs9: getfunlib 0x42fb8:$funcs9: getfunlib 0x2ba0c:$funcs10: autofflinelogs 0x42a2c:$funcs10: autofflinelogs 0x2c5d8:$funcs11: getclipboard
0.0.s0VxndYXq0.exe.550000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Click to see the 56 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: s0VxndYXq0.exe	Virustotal: Detection: 53%			Perma Link
Source: s0VxndYXq0.exe	ReversingLabs: Detection: 53%

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 3264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5580, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Source: s0VxndYXq0.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\remcos\remcos.exe

Avira: detection malicious, Label: TR/Kryptik.wodao

Multi AV Scanner detection for dropped file

Source: C:\Users\user\remcos\remcos.exe

ReversingLabs: Detection: 53%

Machine Learning detection for sample

Source: s0VxndYXq0.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\remcos\remcos.exe

Joe Sandbox ML: detected

Source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "79.134.225.97:8600:123456|", "Assigned name": "Host", "Connect interval": "5", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "User Profile", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_totevzugmgbhhbj", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "remcos"}

Source: s0VxndYXq0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: s0VxndYXq0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2

Yara detected Generic Downloader

Source: Yara match	File source: s0VxndYXq0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.s0VxndYXq0.exe.550000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\remcos\remcos.exe, type: DROPPED

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 79.134.225.97

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: Joe Sandbox View

IP Address: 79.134.225.97 79.134.225.97

Source: global traffic

TCP traffic: 192.168.2.4:49765 -> 79.134.225.97:8600

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97

Source: s0VxndYXq0.exe, remcos.exe.5.dr	String found in binary or memory: http://bit.ly/unCoIY?http://lolnotes-
Source: s0VxndYXq0.exe, remcos.exe.5.dr	String found in binary or memory: http://bladecoding.com/lolnotes/leagueofstats.php?name=
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: s0VxndYXq0.exe, 00000000.00000003.243809889.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243932808.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243586194.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244127013.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244021936.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243771965.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243848246.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244328823.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244234942.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.249288953.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274138797.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.cw
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274032296.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.264248405.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: s0VxndYXq0.exe, 00000000.00000003.237525657.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237981073.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238107631.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: s0VxndYXq0.exe, 00000000.00000003.237791179.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237771360.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237819421.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersF
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: s0VxndYXq0.exe, 00000000.00000003.237710320.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: s0VxndYXq0.exe, 00000000.00000003.238476266.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238443260.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersa
Source: s0VxndYXq0.exe, 00000000.00000003.244079552.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerse
Source: s0VxndYXq0.exe, 00000000.00000003.237791179.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237910949.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237771360.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237851832.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237819421.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237952730.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerses-es_tradnlw
Source: s0VxndYXq0.exe, 00000000.00000003.244112658.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244079552.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerst
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com7
Source: s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsF
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsR
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsk
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comictav
Source: s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/%
Source: s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y
Source: s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/l-g
Source: s0VxndYXq0.exe, remcos.exe.5.dr	String found in binary or memory: http://www.lolking.net/summoner/
Source: s0VxndYXq0.exe, 00000000.00000003.237033632.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237070417.0000000005B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.Wb
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: s0VxndYXq0.exe, remcos.exe.5.dr	String found in binary or memory: https://github.com/high6/LoLNotes
Source: s0VxndYXq0.exe, remcos.exe.5.dr	String found in binary or memory: https://raw.github.com/bladecoding/LoLNotes/master/General.txtO

Source: remcos.exe, 00000009.00000002.322144849.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 3264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5580, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group

Source: s0VxndYXq0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR	Matched rule: webshell_jsp_generic_base64 date = 2021/01/24, author = Arnim Rupp, description = Generic JSP webshell with base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 1b916afdd415dfa4e77cecf47321fd676ba2184d

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Code function: 0_2_029DE4FC	0_2_029DE4FC
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Code function: 0_2_075A53C0	0_2_075A53C0
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Code function: 0_2_075A6988	0_2_075A6988
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Code function: 0_2_075AA3B8	0_2_075AA3B8
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Code function: 0_2_075A53B0	0_2_075A53B0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_00F8E4FC	9_2_00F8E4FC
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_07006988	9_2_07006988
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_070053C0	9_2_070053C0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0700A3B8	9_2_0700A3B8
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_070053B0	9_2_070053B0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0ADCC078	9_2_0ADCC078
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0ADCC6E0	9_2_0ADCC6E0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0ADC21F0	9_2_0ADC21F0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0ADC21E1	9_2_0ADC21E1
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0AEE7AA0	9_2_0AEE7AA0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0AEE0040	9_2_0AEE0040
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0AEE0039	9_2_0AEE0039
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0AEE8CF0	9_2_0AEE8CF0

Source: s0VxndYXq0.exe, 00000000.00000002.276887769.00000000075C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePlates.dll4 vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000002.267398551.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000002.267211444.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFroor.dll4 vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000003.253119443.00000000088CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePlates.dll4 vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000000.224015352.0000000000552000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameChannelServicesD.exe2 vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000002.278244309.000000000B4F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSchedulingClerk.dll. vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000002.268898105.0000000004279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSchedulingClerk.dll. vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000005.00000003.263421070.000000000111B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameChannelServicesD.exe2 vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe	Binary or memory string: OriginalFilenameChannelServicesD.exe2 vs s0VxndYXq0.exe

Source: s0VxndYXq0.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: remcos.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: s0VxndYXq0.exe	Virustotal: Detection: 53%
Source: s0VxndYXq0.exe	ReversingLabs: Detection: 53%

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File read: C:\Users\user\Desktop\s0VxndYXq0.exe

Jump to behavior

Source: s0VxndYXq0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\s0VxndYXq0.exe "C:\Users\user\Desktop\s0VxndYXq0.exe"
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Users\user\Desktop\s0VxndYXq0.exe C:\Users\user\Desktop\s0VxndYXq0.exe
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\remcos\remcos.exe "C:\Users\user\remcos\remcos.exe"
Source: unknown	Process created: C:\Users\user\remcos\remcos.exe "C:\Users\user\remcos\remcos.exe"
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: unknown	Process created: C:\Users\user\remcos\remcos.exe "C:\Users\user\remcos\remcos.exe"
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Users\user\Desktop\s0VxndYXq0.exe C:\Users\user\Desktop\s0VxndYXq0.exe	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\remcos\remcos.exe "C:\Users\user\remcos\remcos.exe"	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe	Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\s0VxndYXq0.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File created: C:\Users\user\AppData\Local\Temp\install.bat

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@23/5@0/2

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: s0VxndYXq0.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\remcos\remcos.exe	Mutant created: \Sessions\1\BaseNamedObjects\remcos_totevzugmgbhhbj
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3708:120:WilError_01

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" "

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: s0VxndYXq0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: s0VxndYXq0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_07004C20 pushfd ; iretd		9_2_07004C21
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0ADC5FAC push edx; ret		9_2_0ADC5FB3

Source: initial sample	Static PE information: section name: .text entropy: 7.366377921746369
Source: initial sample	Static PE information: section name: .text entropy: 7.366377921746369

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File created: C:\Users\user\remcos\remcos.exe

Jump to dropped file

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run remcos			Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run remcos			Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: s0VxndYXq0.exe, 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000002.268992522.0000000000410000.00000040.00000400.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.351006623.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000016.00000002.374683263.000000000336D000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000001A.00000002.341382253.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: remcos.exe, 0000001A.00000002.341382253.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: D/PD/P`\YISBIEDLL.DLL
Source: s0VxndYXq0.exe, 00000005.00000002.268992522.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: D/PD/P`\COSBIEDLL.DLL
Source: s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2			Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe TID: 4288	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe TID: 1400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe TID: 2960	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe TID: 3584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe TID: 5536	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe TID: 2860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe TID: 3656	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe TID: 5752	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe TID: 2188	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\remcos\remcos.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\remcos\remcos.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: s0VxndYXq0.exe, 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000002.268992522.0000000000410000.00000040.00000400.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000001A.00000002.341382253.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: s0VxndYXq0.exe, 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000002.268992522.0000000000410000.00000040.00000400.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000001A.00000002.341382253.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: @HARDWARE\ACPI\DSDT\VBOX__PROCMON_WINDOW_CLASSPROCEXPL21invalid vector<T> subscript?playaudiodatafmt WAVERIFF.wav%Y-%m-%d %H.%MgetcamsingleframenocamerastartcamcapclosecamgetcamframeinitcamcapFreeFrameGetFrameCloseCameraOpenCameracamdlldatacamframe\|dmc\|[DataStart][DataStart]0000%02i:%02i:%02i:%03i [KeepAlive] Enabled! (Timeout: %i seconds)
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\remcos\remcos.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Memory written: C:\Users\user\Desktop\s0VxndYXq0.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Memory written: C:\Users\user\remcos\remcos.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Memory written: C:\Users\user\remcos\remcos.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Users\user\Desktop\s0VxndYXq0.exe C:\Users\user\Desktop\s0VxndYXq0.exe	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\remcos\remcos.exe "C:\Users\user\remcos\remcos.exe"	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe	Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Users\user\Desktop\s0VxndYXq0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Users\user\remcos\remcos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Users\user\remcos\remcos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Users\user\remcos\remcos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 3264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5580, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 3264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5580, type: MEMORYSTR

Detected Remcos RAT

Source: s0VxndYXq0.exe, 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: s0VxndYXq0.exe, 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: s0VxndYXq0.exe, 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: s0VxndYXq0.exe, 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: remcos.exe, 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: remcos.exe, 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: remcos.exe, 0000001C.00000002.367697487.0000000000E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Injser

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Masquerading	1 Input Capture	21 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Scripting	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
s0VxndYXq0.exe	54%	Virustotal		Browse
s0VxndYXq0.exe	54%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint
s0VxndYXq0.exe	100%	Avira	TR/Kryptik.wodao
s0VxndYXq0.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\remcos\remcos.exe	100%	Avira	TR/Kryptik.wodao
C:\Users\user\remcos\remcos.exe	100%	Joe Sandbox ML
C:\Users\user\remcos\remcos.exe	54%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.s0VxndYXq0.exe.452e400.8.unpack	100%	Avira	HEUR/AGEN.1219514	Download File
5.0.s0VxndYXq0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1219514	Download File
0.2.s0VxndYXq0.exe.4545420.9.unpack	100%	Avira	HEUR/AGEN.1219514	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://bladecoding.com/lolnotes/leagueofstats.php?name=	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.comalsR	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
79.134.225.97	3%	Virustotal		Browse
79.134.225.97	0%	Avira URL Cloud	safe
http://www.agfamonotype.cw	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comictav	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.fontbureau.com7	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsk	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/l-g	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.monotype.Wb	0%	Avira URL Cloud	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
79.134.225.97	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bladecoding.com/lolnotes/leagueofstats.php?name=	s0VxndYXq0.exe, remcos.exe.5.dr	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersF	s0VxndYXq0.exe, 00000000.00000003.237791179.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237771360.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237819421.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.lolking.net/summoner/	s0VxndYXq0.exe, remcos.exe.5.dr	false		high
http://www.fontbureau.comalsR	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	s0VxndYXq0.exe, 00000000.00000003.237525657.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comessed	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersP	s0VxndYXq0.exe, 00000000.00000003.237710320.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.agfamonotype.cw	s0VxndYXq0.exe, 00000000.00000003.243809889.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243932808.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243586194.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244127013.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244021936.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243771965.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243848246.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244328823.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244234942.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.249288953.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274138797.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsF	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersa	s0VxndYXq0.exe, 00000000.00000003.238476266.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238443260.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designerse	s0VxndYXq0.exe, 00000000.00000003.244079552.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comictav	s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/%	s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com7	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsk	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com.TTF	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designerst	s0VxndYXq0.exe, 00000000.00000003.244112658.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244079552.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/l-g	s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y	s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274032296.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.264248405.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.github.com/bladecoding/LoLNotes/master/General.txtO	s0VxndYXq0.exe, remcos.exe.5.dr	false		high
http://www.jiyu-kobo.co.jp/jp/	s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designerses-es_tradnlw	s0VxndYXq0.exe, 00000000.00000003.237791179.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237910949.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237771360.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237851832.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237819421.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237952730.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comd	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/high6/LoLNotes	s0VxndYXq0.exe, remcos.exe.5.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237981073.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238107631.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.monotype.Wb	s0VxndYXq0.exe, 00000000.00000003.237033632.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237070417.0000000005B20000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comm	s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://bit.ly/unCoIY?http://lolnotes-	s0VxndYXq0.exe, remcos.exe.5.dr	false		high
http://www.fontbureau.com/designers8	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.97	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679299
Start date and time: 05/08/202214:59:08	2022-08-05 14:59:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	s0VxndYXq0 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@23/5@0/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 92% Number of executed functions: 207 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:00:21	API Interceptor	2x Sleep call for process: s0VxndYXq0.exe modified
15:00:30	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run remcos "C:\Users\user\remcos\remcos.exe"
15:00:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run remcos "C:\Users\user\remcos\remcos.exe"
15:00:43	API Interceptor	6x Sleep call for process: remcos.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.97	1sqNsxHsed.exe	Get hash	malicious	Browse
	ENQUIRY # 12201408_06202022.exe	Get hash	malicious	Browse
	doc_69257199432-97424323002.pdf.vbs	Get hash	malicious	Browse
	iXQth4acZ7.exe	Get hash	malicious	Browse
	JAAX1VADNG.exe	Get hash	malicious	Browse
	C202000000164556_pdf.exe	Get hash	malicious	Browse
	fattura di pagamento 0CV1-005444pdf.exe	Get hash	malicious	Browse
	bonifico.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	Model list set 20 USD4 8 HPID 90CUI 874.exe	Get hash	malicious	Browse	79.134.225.53
	ACH_221515_Payment_Advice.xls	Get hash	malicious	Browse	79.134.225.28
	remittance advice.xls	Get hash	malicious	Browse	79.134.225.22
	remittance advice.xls - Copy.xls	Get hash	malicious	Browse	79.134.225.22
	remittance advice.xls	Get hash	malicious	Browse	79.134.225.22
	remittance advice.xls	Get hash	malicious	Browse	79.134.225.22
	gunzipped.exe	Get hash	malicious	Browse	79.134.225.113
	Order Inqury'012-1-08-22.jar	Get hash	malicious	Browse	79.134.225.85
	Order Inqury'012-1-08-22.jar	Get hash	malicious	Browse	79.134.225.85
	triage_dropped_file.exe	Get hash	malicious	Browse	79.134.225.33
	RegAsm.exe	Get hash	malicious	Browse	79.134.225.119
	e969e5d52792da33934e8aebae044a1c.exe	Get hash	malicious	Browse	79.134.225.119
	Enquiry #378893.exe	Get hash	malicious	Browse	79.134.225.54
	QUOTATION REQUEST 20320202.exe	Get hash	malicious	Browse	79.134.225.54
	RFQ Number OQ22018931.exe	Get hash	malicious	Browse	79.134.225.54
	Fiche N#U00b0248-2 Impots Fiscal.lnk	Get hash	malicious	Browse	79.134.225.10
	NZ6REqDv6K.exe	Get hash	malicious	Browse	79.134.225.10
	doc_41617304446-5779329884601.vbs	Get hash	malicious	Browse	79.134.225.116
	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	Get hash	malicious	Browse	79.134.225.107
	wBG6L1xH1r.exe	Get hash	malicious	Browse	79.134.225.102

Process:	C:\Users\user\remcos\remcos.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\s0VxndYXq0.exe.log

Download File

Process:	C:\Users\user\Desktop\s0VxndYXq0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\install.bat

Download File

Process:	C:\Users\user\Desktop\s0VxndYXq0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	83
Entropy (8bit):	4.660536268409599
Encrypted:	false
SSDEEP:	3:cQxCvfn9m1t+CQHovBkwbM2n:cQ2fE1wCSovKwo2n
MD5:	F153731DF7A038F42AAA8D34E873FF25
SHA1:	1C90ACC2243D0DBEDEB28A8F7F719E605D80894D
SHA-256:	BC24BC26EE03AE15EE552CADF887C9FC201D19D76944321883E5C818D0E8A4AF
SHA-512:	F16A79B8A04E90B7B8F43D3001D51FDDDDC07B8D117D1CF978C35C96DDFFD161E6901DA5446EB42758DC980FC79ADC8BCA1B5DA640AB294BD24A8944FF0D01CA
Malicious:	false
Preview:	PING 127.0.0.1 -n 2 ..start "" "C:\Users\user\remcos\remcos.exe"..del %0 ..exit ..

C:\Users\user\remcos\remcos.exe

Download File

Process:	C:\Users\user\Desktop\s0VxndYXq0.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	950272
Entropy (8bit):	7.359178629458712
Encrypted:	false
SSDEEP:	12288:4Rb0kj3oTB2b2UVFdPBGjIKHfrLPVPf1cLlq+R3rU8weZd+ydGRuwJGdaTuM18N5:4RA0siGjIKHf/NH1eFR7U8wWkTRk
MD5:	DE9784A4F56EAF8AFFC96754A15A5CD3
SHA1:	35C361A8BFDB894E80FE99728E60AD7D08745AF1
SHA-256:	F384A96582763BE490EA4EEED6D3F10291D7DF964F64DB077B4D10697149A7DA
SHA-512:	8576E0ED22421F70350A1108129E6DFA0190335724561CA5093E22A8CEB2E6AD0D61DB77A86C4603C60F4627C091D576B9174DAA2C0545D9D1E032502BC19E3E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\remcos\remcos.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 54%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.b..............0..`..........n~... ........@.. ....................................@..................................~..W.................................................................................... ............... ..H............text...t^... ...`.................. ..`.rsrc................b..............@..@.reloc...............~..............@..B................P~......H........E..\|8......+...X...@E............................................U.....U..`.E.f.8.u...3..f9H.u..@.....a.........0..............0...........(......0...........(......0...........(......0..<........(#.......(.......(.......(........(........(........(......0...........{......0............}.....0...........{......0............}.....0...........{......0............}.....0...........{......0............}.....0...........{......0............}....*.0..........

C:\Users\user\remcos\remcos.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\s0VxndYXq0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.359178629458712
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	s0VxndYXq0.exe
File size:	950272
MD5:	de9784a4f56eaf8affc96754a15a5cd3
SHA1:	35c361a8bfdb894e80fe99728e60ad7d08745af1
SHA256:	f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da
SHA512:	8576e0ed22421f70350a1108129e6dfa0190335724561ca5093e22a8ceb2e6ad0d61db77a86c4603c60f4627c091d576b9174daa2c0545d9d1e032502bc19e3e
SSDEEP:	12288:4Rb0kj3oTB2b2UVFdPBGjIKHfrLPVPf1cLlq+R3rU8weZd+ydGRuwJGdaTuM18N5:4RA0siGjIKHf/NH1eFR7U8wWkTRk
TLSH:	5D155A99369071EFC857C976CA682C50FB31B576930FD207A45322ADAE0D6ABDF101F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.b..............0..`..........n~... ........@.. ....................................@................................

File Icon


Icon Hash:	397165848c36a18d

Static PE Info

General

Entrypoint:	0x4e7e6e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62E047C2 [Tue Jul 26 20:00:02 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe7e14	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe8000	0x1a90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe5e74	0xe6000	False	0.7169316830842392	data	7.366377921746369	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe8000	0x1a90	0x1c00	False	0.45717075892857145	data	5.558425499312093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xe8160	0xd28	data
RT_GROUP_ICON	0xe8e88	0x14	data
RT_GROUP_ICON	0xe8e9c	0x14	data
RT_VERSION	0xe8eb0	0x33c	data
RT_MANIFEST	0xe91ec	0x8a3	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 15:00:51.489784956 CEST	49765	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:51.547962904 CEST	8600	49765	79.134.225.97	192.168.2.4
Aug 5, 2022 15:00:52.065028906 CEST	49765	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:52.123380899 CEST	8600	49765	79.134.225.97	192.168.2.4
Aug 5, 2022 15:00:52.709264040 CEST	49765	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:52.767832994 CEST	8600	49765	79.134.225.97	192.168.2.4
Aug 5, 2022 15:00:57.773063898 CEST	49770	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:57.832314014 CEST	8600	49770	79.134.225.97	192.168.2.4
Aug 5, 2022 15:00:58.334733009 CEST	49770	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:58.393183947 CEST	8600	49770	79.134.225.97	192.168.2.4
Aug 5, 2022 15:00:59.022278070 CEST	49770	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:59.080661058 CEST	8600	49770	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:04.092365980 CEST	49772	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:04.150609970 CEST	8600	49772	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:04.710223913 CEST	49772	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:04.768486977 CEST	8600	49772	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:05.413645983 CEST	49772	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:05.472306967 CEST	8600	49772	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:10.476984978 CEST	49773	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:10.535494089 CEST	8600	49773	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:11.132644892 CEST	49773	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:11.191097975 CEST	8600	49773	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:11.835798979 CEST	49773	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:11.897294044 CEST	8600	49773	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:16.906243086 CEST	49774	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:16.964862108 CEST	8600	49774	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:17.602025032 CEST	49774	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:17.660366058 CEST	8600	49774	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:18.211484909 CEST	49774	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:18.269845963 CEST	8600	49774	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:23.275614977 CEST	49776	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:23.334021091 CEST	8600	49776	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:23.914994955 CEST	49776	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:23.973387957 CEST	8600	49776	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:24.602653980 CEST	49776	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:24.661000013 CEST	8600	49776	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:29.691310883 CEST	49801	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:29.749579906 CEST	8600	49801	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:30.337486982 CEST	49801	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:30.395963907 CEST	8600	49801	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:31.024995089 CEST	49801	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:31.083328009 CEST	8600	49801	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:36.541906118 CEST	49819	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:36.600670099 CEST	8600	49819	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:37.135059118 CEST	49819	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:37.193582058 CEST	8600	49819	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:37.838089943 CEST	49819	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:37.896397114 CEST	8600	49819	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:42.902713060 CEST	49827	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:42.961273909 CEST	8600	49827	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:43.463576078 CEST	49827	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:43.522169113 CEST	8600	49827	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:44.026073933 CEST	49827	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:44.084547043 CEST	8600	49827	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:49.099905968 CEST	49836	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:49.158422947 CEST	8600	49836	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:49.667279005 CEST	49836	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:49.725716114 CEST	8600	49836	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:50.229877949 CEST	49836	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:50.288291931 CEST	8600	49836	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:56.090359926 CEST	49844	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:56.148978949 CEST	8600	49844	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:56.652179956 CEST	49844	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:56.710563898 CEST	8600	49844	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:57.214720964 CEST	49844	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:57.273039103 CEST	8600	49844	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:02.278929949 CEST	49861	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:02.337223053 CEST	8600	49861	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:02.840158939 CEST	49861	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:02.898443937 CEST	8600	49861	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:03.402717113 CEST	49861	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:03.460984945 CEST	8600	49861	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:09.368092060 CEST	49865	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:09.426564932 CEST	8600	49865	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:10.090811968 CEST	49865	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:10.149149895 CEST	8600	49865	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:10.700218916 CEST	49865	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:10.758519888 CEST	8600	49865	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:15.763689041 CEST	49866	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:15.821871996 CEST	8600	49866	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:16.325689077 CEST	49866	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:16.384908915 CEST	8600	49866	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:16.888501883 CEST	49866	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:16.946827888 CEST	8600	49866	79.134.225.97	192.168.2.4

Target ID:	0
Start time:	15:00:07
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\s0VxndYXq0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\s0VxndYXq0.exe"
Imagebase:	0x550000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Remcos, Description: detect Remcos in memory, Source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Remcos, Description: detect Remcos in memory, Source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	15:00:23
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\s0VxndYXq0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\s0VxndYXq0.exe
Imagebase:	0x930000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	15:00:27
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" "
Imagebase:	0x1190000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	15:00:28
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7338d0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	15:00:29
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	PING 127.0.0.1 -n 2
Imagebase:	0x13b0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	15:00:30
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\remcos\remcos.exe"
Imagebase:	0x530000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Remcos, Description: detect Remcos in memory, Source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\remcos\remcos.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 54%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	12
Start time:	15:00:39
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\remcos\remcos.exe"
Imagebase:	0x950000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Remcos, Description: detect Remcos in memory, Source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Target ID:	21
Start time:	15:00:47
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\remcos\remcos.exe
Imagebase:	0x1b0000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	22
Start time:	15:00:47
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\remcos\remcos.exe"
Imagebase:	0xb70000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	23
Start time:	15:00:48
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\remcos\remcos.exe
Imagebase:	0x80000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	24
Start time:	15:00:49
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\remcos\remcos.exe
Imagebase:	0x850000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	26
Start time:	15:01:00
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\remcos\remcos.exe
Imagebase:	0xbe0000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	28
Start time:	15:01:11
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\remcos\remcos.exe
Imagebase:	0x650000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	1

Executed Functions

Function 075A6988 Relevance: .7, Instructions: 743COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7d777d2d935bc70463d9464e5c10228b591957c6b8957a159170d857eb50e5
Instruction ID: c36e30d26f7b05b133a14d7b844bfe85637dc91fe6fdb72943c0b90971e680a6
Opcode Fuzzy Hash: 6e7d777d2d935bc70463d9464e5c10228b591957c6b8957a159170d857eb50e5
Instruction Fuzzy Hash: BF524EB5B00116AFDB14DF68C894AED77B2FF89714B198469E806DB364DB35DC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 075A53B0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a198622a4550cc353982816cb5404ab8976f0ecd70bcc95f5f0d2cf27fe83fe
Instruction ID: 2e63b50df47999d34c5be67c45874c311f8449f65837752173e809cb04fd3b9e
Opcode Fuzzy Hash: 5a198622a4550cc353982816cb5404ab8976f0ecd70bcc95f5f0d2cf27fe83fe
Instruction Fuzzy Hash: C4811474E11209DFCB04DFA5E6849DEFBB2FF89301F20852AD506B7254EB34AA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075A53C0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396409506bccfa6c32387af770b43311f68420618706b5166bc4f07ce1b43297
Instruction ID: dc2c906c90242f0095623f9a746b9c1a7713baa492d41b25e2d12bef2f1f0674
Opcode Fuzzy Hash: 396409506bccfa6c32387af770b43311f68420618706b5166bc4f07ce1b43297
Instruction Fuzzy Hash: 8D710474E11209DFCB04DFA5E6849DEFBB2FF89300F20852AD506B7254EB349A55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 029DB722 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 029DB976

Memory Dump Source

Source File: 00000000.00000002.266716584.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_s0VxndYXq0.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7167d1073422c3908127dfb4772141b11252963832ce108724a721361a7c457a
Instruction ID: b68f4e71c94d997f5968814b9ab5fb2e9ee691e068ebeed54b06057eb0cf6996
Opcode Fuzzy Hash: 7167d1073422c3908127dfb4772141b11252963832ce108724a721361a7c457a
Instruction Fuzzy Hash: FF712370A00B058FD724DF2AD59579ABBF5FF88208F01892ED49AD7A50D734E80A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 029D5B24 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 029D5BE1

Memory Dump Source

Source File: 00000000.00000002.266716584.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_s0VxndYXq0.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ef77f8a987c8ff1b16339832a1995c470f0c722841a5474326bdc25559db1948
Instruction ID: 1e78ab7336ad206f0736031e6960b0cd24bcd17526dd88854f291720bffd0cfc
Opcode Fuzzy Hash: ef77f8a987c8ff1b16339832a1995c470f0c722841a5474326bdc25559db1948
Instruction Fuzzy Hash: F8411571C00618CFDB24DFA9C9857DEBBB1BF48308F248469D409BB651DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 029D4338 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 029D5BE1

Memory Dump Source

Source File: 00000000.00000002.266716584.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_s0VxndYXq0.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3af5df1ebe6c2bbdd56586d7fe3043bbbb63d16edf39f701d4e0fdff233d634d
Instruction ID: eae79e94ef0b9663e8e2ab620e756ef7a2eb77bc0e58098b7d22bf0e884185e9
Opcode Fuzzy Hash: 3af5df1ebe6c2bbdd56586d7fe3043bbbb63d16edf39f701d4e0fdff233d634d
Instruction Fuzzy Hash: B941F4B0C0021CCBDB24DFA9C984BDEBBB5BF48308F208469D409BB251DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 029DD7A4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029DDC1E,?,?,?,?,?), ref: 029DDCDF

Memory Dump Source

Source File: 00000000.00000002.266716584.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_s0VxndYXq0.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fdd640e6e5730e5a615b23b586cf7b810b7287e521f8df28b7ea0e23e2f1183e
Instruction ID: 95e27a74452594e000866e34602549241efb8a4eb9cc0d77b980af4ee61f94c3
Opcode Fuzzy Hash: fdd640e6e5730e5a615b23b586cf7b810b7287e521f8df28b7ea0e23e2f1183e
Instruction Fuzzy Hash: C821E4B5900209AFDB10CFA9D984AEEBBF8FB48324F14845AE915B3710D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 029DBB90 Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,029DB9F1,00000800,00000000,00000000), ref: 029DBC02

Memory Dump Source

Source File: 00000000.00000002.266716584.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_s0VxndYXq0.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1764d12dbe2833bfee6e00af1820b55d0dcd2047e2476229a5cd31c0653ec0e2
Instruction ID: 17cc8fdb30dac09d06765503bbf38a7ee0316998678ccf8e80deace753dfd150
Opcode Fuzzy Hash: 1764d12dbe2833bfee6e00af1820b55d0dcd2047e2476229a5cd31c0653ec0e2
Instruction Fuzzy Hash: 6F1144B69002088FCB10CFAAC585BDEFBF4EB48364F04841AD429A7610C374A54ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 029DB1B8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,029DB9F1,00000800,00000000,00000000), ref: 029DBC02

Memory Dump Source

Source File: 00000000.00000002.266716584.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_s0VxndYXq0.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ec74962017700c99c0a72eb68d652844fd7b61e71a67d1989d306602cc40f3
Instruction ID: a8d15b4ec1f6afa4e53d71348673833a8b2aaeebd92cfb3115ddd5e7bf19c3c4
Opcode Fuzzy Hash: f6ec74962017700c99c0a72eb68d652844fd7b61e71a67d1989d306602cc40f3
Instruction Fuzzy Hash: DC1103B69002099FDB10CF9AC544AEEFBF8AB48364F14846EE419B7610C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 029DB910 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 029DB976

Memory Dump Source

Source File: 00000000.00000002.266716584.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_s0VxndYXq0.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 75ebce0cd03cd4f53d68ff49b5e76b7bec5827164525593076c7ebfc7c84c2f9
Instruction ID: ccc994529e1fed28682f301b27456f82083f8053a9c3df320aaae444f571d83c
Opcode Fuzzy Hash: 75ebce0cd03cd4f53d68ff49b5e76b7bec5827164525593076c7ebfc7c84c2f9
Instruction Fuzzy Hash: 941110B6D002498FCB10CF9AC484BDEFBF8AB88328F14845AD429B7710C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075A0040 Relevance: .7, Instructions: 730
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b52565a4411265e5688f1ae1ab0a2c65a9fab4ab82b548fdf3202fe7500772a
Instruction ID: 500cf37aea201d76452dbf0f5b601b1d383c2946275d12b907541ed7a155b712
Opcode Fuzzy Hash: 1b52565a4411265e5688f1ae1ab0a2c65a9fab4ab82b548fdf3202fe7500772a
Instruction Fuzzy Hash: 74720D31910609CFCB54EF68C894AEDB7B1FF45304F0086A9D549AB265FF30AA95CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075AECD8 Relevance: .4, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb020b89ff42b44ea7957b64303939fa93800c4acaf3f980dc08c59c9b757cb
Instruction ID: 80813afc58ea33074d4ef9b12fc1c051e81ce09faac3641a44cff3625fd614fc
Opcode Fuzzy Hash: 4bb020b89ff42b44ea7957b64303939fa93800c4acaf3f980dc08c59c9b757cb
Instruction Fuzzy Hash: C0D1D3F0B00106EFCB15AB64C4566EEBFB1FF85340F5548BAD442A72A5E731C866CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075AE640 Relevance: .3, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc47e036a71b9dde0ce9339eddd4a44e363322f7fa9f0a7e297a11f1c2e1838
Instruction ID: ea25abc9776c5dedf8c84f507090589ef5a3aa764889dd2ad92dcca1dd7acacd
Opcode Fuzzy Hash: fbc47e036a71b9dde0ce9339eddd4a44e363322f7fa9f0a7e297a11f1c2e1838
Instruction Fuzzy Hash: 22A1C2B1A002459FDB14EB74D44A7EE7BF6EF89314F14887AD405EB380DB388946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 075A2244 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdaaa4e96823b51510b5236227e89c38012e5ff24fefa953643a7363ee98bac
Instruction ID: 63d406d3763c3de8aa073cc8d72a22b10f0d0d53e2e50370c8d11773fa13b5eb
Opcode Fuzzy Hash: ecdaaa4e96823b51510b5236227e89c38012e5ff24fefa953643a7363ee98bac
Instruction Fuzzy Hash: EF917CB0300605AFCB19EB74C495AAE73A3BFC5618F108979E4569B3A0DF35EC46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 075AE9E0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0815c7cca971519b048b1da389264e4ab26db122c5ca2eb2a80bb1dcfb0eda26
Instruction ID: 44cd4c536caff34d1599cec7f5fafd0f0d55b1e9a43c862d5761f6e0d7526830
Opcode Fuzzy Hash: 0815c7cca971519b048b1da389264e4ab26db122c5ca2eb2a80bb1dcfb0eda26
Instruction Fuzzy Hash: 5571C2B1600205AFDB24AB65C49A7EEB7E6FFC4300F14893AE506977A0DF359C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075AB650 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d053bd9805809929a3b7c953c640972296b015f37e5f9648b9f2ab5608e7ef9
Instruction ID: f2f16c2ae3aafca7b8b54a3ffff587a2369a44337e47853c23cde005f49b7130
Opcode Fuzzy Hash: 4d053bd9805809929a3b7c953c640972296b015f37e5f9648b9f2ab5608e7ef9
Instruction Fuzzy Hash: C991C6B5A0060AAFDB15CFA8C880ADEB7F2FF48310F14852AE92997351D770E955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 075A6370 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1337a4f55226cd564f0e20cf44367c751b60dc50504acaa61ab84fe6eae92d79
Instruction ID: c8524adb6839a8b8ec7646afb2b7f308828cd546c7c3c23f74a780a52b753151
Opcode Fuzzy Hash: 1337a4f55226cd564f0e20cf44367c751b60dc50504acaa61ab84fe6eae92d79
Instruction Fuzzy Hash: 8D619075B10219AFCB04CF64D454AEE7BF6FF88611F18446AE802AB391DB31EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 075AD868 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0a3d27c11b60b8ac94558da3b08207899291cd7fb0cce62d75d084aea6f2f1
Instruction ID: c7899a57db58e83ce39a052e4484156311fc4846cd17bab5aa0c1fa0246a001c
Opcode Fuzzy Hash: ae0a3d27c11b60b8ac94558da3b08207899291cd7fb0cce62d75d084aea6f2f1
Instruction Fuzzy Hash: C781E874A00349CFCB04EFA8C59899DBBB1FF49304F1589A9D8099F36ADB76E945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 075AD821 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5343e18c612d0a9211174ac9a1b5f5a289f24bd3af9d10cf1fee076a03c241ae
Instruction ID: 8bc47f5488e0912c93954a5065e1056da4f1ebb5870665bcd095c92fbfce6932
Opcode Fuzzy Hash: 5343e18c612d0a9211174ac9a1b5f5a289f24bd3af9d10cf1fee076a03c241ae
Instruction Fuzzy Hash: 79812774604345CFCB09EFA8C488A9DBBB2FF45304F1589A9D8059F36ADB76E985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 075A36F0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bced68feaa5dcd7c337dab5d0b8358bf20f14083c5eb7d4c5cc141a3754a7533
Instruction ID: 36a54a4a755444de24c49befd740f26466fd3135973b48f1378a915cfe87ecb6
Opcode Fuzzy Hash: bced68feaa5dcd7c337dab5d0b8358bf20f14083c5eb7d4c5cc141a3754a7533
Instruction Fuzzy Hash: 4B5181B5601612EFC708EF68C0908ADB7B2FF86714B6181BDD4168B351DB36EC02CB92

Uniqueness

Uniqueness Score: -1.00%

Function 075ACE48 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46ce4fedf103cb4d9374171e0ac4d33f2e241f2f98bf32041e8d8aa60d0f73e
Instruction ID: 87d57bd75bdeb1a7a38f4e714e62bc0becb318bc2dd43c78c16ef7f5fb5bfa7d
Opcode Fuzzy Hash: e46ce4fedf103cb4d9374171e0ac4d33f2e241f2f98bf32041e8d8aa60d0f73e
Instruction Fuzzy Hash: 78512F75A1060A9FCB00DFA8C8948EDF7B5FF89310B109669E406FB314EB30E985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075AD531 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456484caa2967f257ac1395653c09cbf8d5d17b10d42a64be85adb144b5042e0
Instruction ID: 8363af510efb3f268d4a03a21f5a0049e15deabbe8f2bbf58132aad27a6959cf
Opcode Fuzzy Hash: 456484caa2967f257ac1395653c09cbf8d5d17b10d42a64be85adb144b5042e0
Instruction Fuzzy Hash: 5941DDB1701345AFCB18EF24D914AEEBBF2BF89200F24857AE809DB655CB35D901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075A6788 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7021bdffdcb6a538fb96b6b28badd8d7b5d2fb2cfc325e4d4c39fd7a9aeab8
Instruction ID: c28b07cd31056065001f8246ecfde236b8a2416cd0dda73875a96dbd9a5246cf
Opcode Fuzzy Hash: 3f7021bdffdcb6a538fb96b6b28badd8d7b5d2fb2cfc325e4d4c39fd7a9aeab8
Instruction Fuzzy Hash: 6141AEB5B04217EFEB11DF68D8949AEBBB9FB85610F0980BAD501CB351DB30E845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 075AD5C0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e503252b7ff93035d6380bebe62d767d9549a599049c7d64c00c6b99cdaaeca3
Instruction ID: ebe90dd837a54ed424ddb08b54e9815f8e095bb2eeb8987aaa8619a25e56d920
Opcode Fuzzy Hash: e503252b7ff93035d6380bebe62d767d9549a599049c7d64c00c6b99cdaaeca3
Instruction Fuzzy Hash: 92417EB5B01746EBCB18AF64E954AEEB7B2FF88200F10443AD40697654DB35D941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075A3EF0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb45580faa97bdcadd7c87798e1dfe2cb1fd7a188254e2779272ae3b5c099dd
Instruction ID: 22b9eb8a6e9823d3b71e4d901163cbc5ac6c252590e63af8fef5ee2faf090001
Opcode Fuzzy Hash: 4cb45580faa97bdcadd7c87798e1dfe2cb1fd7a188254e2779272ae3b5c099dd
Instruction Fuzzy Hash: 2141CFB1700541AFDB29AB78C454AEE72E2BBC9714F04447ED40ACB791DF78AC06C792

Uniqueness

Uniqueness Score: -1.00%

Function 075A36E0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea8d63fc581ad61aa76d3b31648ce503a1db51f83b91ac7ca3c73906d95eebb
Instruction ID: 838e8b54acbef63de508fbe45d20128b0006d55530e5a631e710052fff6b255a
Opcode Fuzzy Hash: cea8d63fc581ad61aa76d3b31648ce503a1db51f83b91ac7ca3c73906d95eebb
Instruction Fuzzy Hash: 2941A2B5A01602EFC708EF68C0919ADB7F2FF85714B5181B9D4169B361DB36EC42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 075AD050 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31713b3a8dd4e76a72baa9477a32accede79d7dc185c087dc919458cd5df5be0
Instruction ID: b24dda97d2fab1380fbd41d5e38f5e7a3830e08aa2013e43510c1c36ea887da2
Opcode Fuzzy Hash: 31713b3a8dd4e76a72baa9477a32accede79d7dc185c087dc919458cd5df5be0
Instruction Fuzzy Hash: 92418335A10609DFCB00EFA8D8848EDF7B5FF89314F00826AE515AB321EF71A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075AD360 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b32ab44cf8ef231245b3cea21abd1b02bbb0efc7ab4dc5018e75aecfce14bb
Instruction ID: f5361c916c38c7a7dee286f0ade61411f70ba4bf929ff312d5265bb66f278d8c
Opcode Fuzzy Hash: 08b32ab44cf8ef231245b3cea21abd1b02bbb0efc7ab4dc5018e75aecfce14bb
Instruction Fuzzy Hash: FD317AB2F10219EFCB14EFA8E8544DDBBF6FF89210F10892AE405A7764DB719845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075AE390 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce94ac8412631e5f17d72140b6a29967f881ece3ced3d7a6aa208e8ae69b4481
Instruction ID: 67d8f550598c2e9f194f01773eba284e5ad68915479fb01673f09512f9579fd6
Opcode Fuzzy Hash: ce94ac8412631e5f17d72140b6a29967f881ece3ced3d7a6aa208e8ae69b4481
Instruction Fuzzy Hash: 3431E1B0D093819FD756DB68C4106EEBBF1AF46204B0984ABC444DB7A2D738D802CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 075A5B78 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04c0809d418efb79ed32e9d44b7fe72cd3f373f392ea7e69ede277f8468d35a
Instruction ID: e93f68d4f9aa8110e695bf3b56ee4b7f5a33a00c1a8bc5e1acb129e380d52dc8
Opcode Fuzzy Hash: c04c0809d418efb79ed32e9d44b7fe72cd3f373f392ea7e69ede277f8468d35a
Instruction Fuzzy Hash: 2721F170A04208BFD700AB74DC41BEE7BB6EF8A740F108066E506DB291DB396D0A87A1

Uniqueness

Uniqueness Score: -1.00%

Function 075AADB0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84aefd84aa48ad1a8a44df356f867b4b76a5f78d846efeeb0cbc5ed1843cab0a
Instruction ID: 8eac0f3bed307bd29eecb57bde67d3e7a319f72bdc4b2be976bb3dd2072dabf7
Opcode Fuzzy Hash: 84aefd84aa48ad1a8a44df356f867b4b76a5f78d846efeeb0cbc5ed1843cab0a
Instruction Fuzzy Hash: 532101B6B102119FDB248A25C9915BFB7E6FFD4318B28C47ED24693790CA34ED40C761

Uniqueness

Uniqueness Score: -1.00%

Function 075AD1A8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd731f7a01b161678a2e0248e353348d2292430d26875ec13fadca45bf513cdf
Instruction ID: 46b55015badf10b1738138ba9ffcb428992f4613d637eeac72a6e3517b00147f
Opcode Fuzzy Hash: cd731f7a01b161678a2e0248e353348d2292430d26875ec13fadca45bf513cdf
Instruction Fuzzy Hash: BA312135A10609DFCB05EFA8C894CDDBBB5FF89310F018659E5057B224FB70AA89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075AE548 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68c6db323360f8c2d1d56c292a94ca7022e112cae1e1ae5a14ebe827b1a77ff
Instruction ID: 7accb7a7945c62c0c33ef6594d54484328b0a73b86e3c1ba430ad1d0ef9f02e4
Opcode Fuzzy Hash: a68c6db323360f8c2d1d56c292a94ca7022e112cae1e1ae5a14ebe827b1a77ff
Instruction Fuzzy Hash: 8C219F74700106AFCF109FA4F88A6AEBBF4FF88341F04496AE509D7291EB70D905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D3F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265366587.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8192c5bb13584a8c0cb9a648a416055aa5f54eb2931b3a88e2c3837e81c3a4b2
Instruction ID: 7eef959ae2b4bedfc3d4d384c717248c0dcad5dd29a3b53e997d94cd557506ea
Opcode Fuzzy Hash: 8192c5bb13584a8c0cb9a648a416055aa5f54eb2931b3a88e2c3837e81c3a4b2
Instruction Fuzzy Hash: F8212871504240DFDB00EF10D9C0F66BFA5FB94324F28C5AAE8050B7A6C336E855D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D4DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265366587.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e556285977e6cde6946bdf9c4f4eae42ce257d0d5d70bb6060bc8accec85d38b
Instruction ID: 81323b3aef95479dbdb6c163ccf548411c7b15fcd0d0471cf6ca987ecd68e65e
Opcode Fuzzy Hash: e556285977e6cde6946bdf9c4f4eae42ce257d0d5d70bb6060bc8accec85d38b
Instruction Fuzzy Hash: BF213A71504240DFDB00EF10D9C0BA7BFA5FBA8328F2485ABE8050B7A6C336D845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 075A2134 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34520c32501883ba2fccbbd8982e92101a6959abf030254dea46bc66c5157e99
Instruction ID: 66343d0fa23838de5f252c01ed59c71375579f40c751747ef8b7c89435a1a82e
Opcode Fuzzy Hash: 34520c32501883ba2fccbbd8982e92101a6959abf030254dea46bc66c5157e99
Instruction Fuzzy Hash: 7B21AEB0F0020ADFCB54EF64C895AAEB7B1FFC9300F1084799515A73A0DA749D42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265593969.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f665ac867e0fad6546b0784fdda458e898ac3e6b25d44771b5eebc96b79981
Instruction ID: d350fdb80f718830161e64ad10c4bf8cfac33d4e43236b128627860420707799
Opcode Fuzzy Hash: 33f665ac867e0fad6546b0784fdda458e898ac3e6b25d44771b5eebc96b79981
Instruction Fuzzy Hash: 86212275604240DFDF14CF20D8D0B26BBA1FB84324F20CAB9D80A4B746C33AD806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B9D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265593969.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1370a93970763b55e1a10b8dfc1f9bd2aecb0d1bd560017d8436a5406b64071b
Instruction ID: 1b40cad82f8bec9c0a949e2776ee59d36b7c9a6f4ac8e6f558486874e4cc7ffb
Opcode Fuzzy Hash: 1370a93970763b55e1a10b8dfc1f9bd2aecb0d1bd560017d8436a5406b64071b
Instruction Fuzzy Hash: DF21C275604240EFDF05DF11D9C0B26BBA5FB84314F24CABDE8494B796C336D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 075A0B80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fcbc3245b12114400be567b491cace6ac07deb805ab7c3bc5c2f0307be49ae
Instruction ID: 6dee2f74d3fb39714d95a3debff39076039efdf07acffa18c990a0ebfaf72f4a
Opcode Fuzzy Hash: 75fcbc3245b12114400be567b491cace6ac07deb805ab7c3bc5c2f0307be49ae
Instruction Fuzzy Hash: F6212F75A106099FCB10EF6CD84059EFBB5FF49310B50C26AE958A7200FB31A998CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075A6360 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44bbac5dc8e55ed2469ae09d025bcb6bd9d5baa2c766abc5beaa36ce83b78bb
Instruction ID: 3c142417bb83d6159fecfd0dd1e75e7e27311d33da5a9b6f4ee1377cb2e8f454
Opcode Fuzzy Hash: d44bbac5dc8e55ed2469ae09d025bcb6bd9d5baa2c766abc5beaa36ce83b78bb
Instruction Fuzzy Hash: A7212875A00209EFCF04DFA4E845ADDBBF1FB48321F14546AE901B72A0C732AD55DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 075A59B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ffb727e8e6d158f5e69dddd49d1a88dcfc934d378edf7bba315098da81215b
Instruction ID: 31b532f27157e5bbb92bab69ffc8e0055d385c2192c7ce178825a6ed65c5f885
Opcode Fuzzy Hash: 31ffb727e8e6d158f5e69dddd49d1a88dcfc934d378edf7bba315098da81215b
Instruction Fuzzy Hash: 712119B4E102199FDB04DFA9D884AEEBBB2FB89301F10842AD915B3354DB745915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 075AE0B4 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff0b191e5bae5a5db93976155f64b3c3751c688c81d835db06fad052d7de4d8
Instruction ID: a7394eea8128f669d8998fe38180291d548506fee40852a82e6137c934535775
Opcode Fuzzy Hash: aff0b191e5bae5a5db93976155f64b3c3751c688c81d835db06fad052d7de4d8
Instruction Fuzzy Hash: 4321BDB5D0034AAFDB10CF9AD884ADEFBF4FB48224F14842AE915A3250D374E945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B9D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265593969.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901412f065508f87b41464a589d1da92ec11cc7386f8b23ee38ddc01c02e8e8c
Instruction ID: 20834db45a16d52130f5355cf11a0a9267e59d6ca89ef57778643071921c308c
Opcode Fuzzy Hash: 901412f065508f87b41464a589d1da92ec11cc7386f8b23ee38ddc01c02e8e8c
Instruction Fuzzy Hash: 3721C9755093808FCB02CF20D5A0715BF71EB45314F28C5EAD8458B657C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 075AE3AC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71591a689a2965ebd0c015345a4e314d158c2d7921d5b405ceb303184406c818
Instruction ID: 3e32d99d15a2d3ea992528e38a8680fc9a7ac9be73435096ab86b0e6e89b4c8f
Opcode Fuzzy Hash: 71591a689a2965ebd0c015345a4e314d158c2d7921d5b405ceb303184406c818
Instruction Fuzzy Hash: 9E1156B0E0120ADFCB59DF69C444AAEF7F1BF49314F1484BA9418AB361D738E902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 075AE539 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd16ec5f07b90e36420dbdc17a37adbe6bd9fa48a30af9fba116c254855879ce
Instruction ID: fd30d27203b87226d4011d22ae9c3a4218fa1c8d815f715f8b7353992308ac3f
Opcode Fuzzy Hash: fd16ec5f07b90e36420dbdc17a37adbe6bd9fa48a30af9fba116c254855879ce
Instruction Fuzzy Hash: 20117F747001419FDF10EF94E9966AE7BE4FF88740F04487AE8099B391EB70D905C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D3EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265366587.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction ID: b4b897ec3f455c66d4dba67077326eacf58e81eb5f4524bc36e092fe2ecb53bb
Opcode Fuzzy Hash: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction Fuzzy Hash: B8119376504280DFCB15DF10D9C4B16BFB1FB94324F28C6AAD8094B766C336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D4D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265366587.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction ID: 5215626554fc79864eb2d2028a772e03ac44c7f63e0a85e50f71f2d7246fd508
Opcode Fuzzy Hash: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction Fuzzy Hash: 2511D376504280DFCB01DF10D9C4B56BFB2FB94324F24C6AAD8050B666C336D956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 075A2124 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781d1b0591a25ec1a81bfea3e927b410b9233fd2b41b1d96086cbb986a3b6bbd
Instruction ID: 4009ab19151b3126860415ea822a0c8c5fb82a18e36a4484ac7fe3069b5db53c
Opcode Fuzzy Hash: 781d1b0591a25ec1a81bfea3e927b410b9233fd2b41b1d96086cbb986a3b6bbd
Instruction Fuzzy Hash: 760192B67516029FD7149A28C845EBD3397FBC5620F194976E416CB3A2CA24D8428651

Uniqueness

Uniqueness Score: -1.00%

Function 00B9D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265593969.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43bc81a3ff9705b917d63333e3be4ed1b9938392dd5ea36af53da639c8dcacc
Instruction ID: a750cac9577c9b1343622ac8c553cade8d0534f242d669e8498b71f985f29f2f
Opcode Fuzzy Hash: e43bc81a3ff9705b917d63333e3be4ed1b9938392dd5ea36af53da639c8dcacc
Instruction Fuzzy Hash: 57117975904280DFCB11CF10D5C4B15BBA1FB84324F28C6AAD8494B696C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 075AAE88 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a84004bc94ad9fd6ebf1a2fea5677e31821bd9a66595e18153d3d2967d70bc1
Instruction ID: 032c55bbdb888375cac86b0bddc965375f67186597f27eed8dd7aa8066dd7dda
Opcode Fuzzy Hash: 8a84004bc94ad9fd6ebf1a2fea5677e31821bd9a66595e18153d3d2967d70bc1
Instruction Fuzzy Hash: 9B012875A04254AFC711EBA8DC948DEBFB5EF8221070141AFD5459B321E7305A49C7F2

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D75D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265366587.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b573dd95db0d28e7c63ac271ef94c3dbea75044686fb70d83932a5093f2c1a
Instruction ID: 0e0c175fb08d7f19b8279df7809687afaad8b1f4d062011a9008e59778097cc8
Opcode Fuzzy Hash: 33b573dd95db0d28e7c63ac271ef94c3dbea75044686fb70d83932a5093f2c1a
Instruction Fuzzy Hash: F001DF39508244AEE710AF11C8C0BA6FBE8EF41364F18849BED040AAE2C7799C48C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 075AB08C Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22471b38595ec04d141a6e995d5bde78cff8d9c8777e56b979f8a03967da4c64
Instruction ID: 0a8dc90e1e40ba6619bc5000d37009fb18aa8843775136cfbab3b35640739b7a
Opcode Fuzzy Hash: 22471b38595ec04d141a6e995d5bde78cff8d9c8777e56b979f8a03967da4c64
Instruction Fuzzy Hash: 2101C574210B05DFC710EB28D484BE9B3E5BF49204F148C6AE2AACBB79D771E8048B90

Uniqueness

Uniqueness Score: -1.00%

Function 075ADF60 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba35d0ddb89fb0baf577a3a646975f8bbe17b2e091a2ec0f3aac089d157e943a
Instruction ID: 6e1de29104ebaa19982091e3fccbca7ae938bdfd10b4acfbc738c1fe95008ce9
Opcode Fuzzy Hash: ba35d0ddb89fb0baf577a3a646975f8bbe17b2e091a2ec0f3aac089d157e943a
Instruction Fuzzy Hash: 72F062367003449BC354AF59E809A9ABBA5EFC5361F20C43BF9498B744CE318806DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D75C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265366587.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a576efffc4831921c58336c0e9746b83af73fa3b5208d7c73331ca5edb31f7e2
Instruction ID: 5ca22f97cbab66e69d4feb695e4e0e55b78b6cf28f0df694a526c0f39e0f2972
Opcode Fuzzy Hash: a576efffc4831921c58336c0e9746b83af73fa3b5208d7c73331ca5edb31f7e2
Instruction Fuzzy Hash: 14F0C2754042849EE7109E05CCC4B62FFE8EB41774F18C49AED080B692C3799C44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 075A2304 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbd4dffe06d5810fc842573e07bc1a228c1158f005ab39b148686fab0564cb8
Instruction ID: 964d7544b1938bcd2cbed16ff508167ef5ce76f41c2065fd20c9b9bca1825474
Opcode Fuzzy Hash: ebbd4dffe06d5810fc842573e07bc1a228c1158f005ab39b148686fab0564cb8
Instruction Fuzzy Hash: 80E0D8B1F15622F78355173844112AEB1857F8AA68F104E7AA4059B794CA32CC4243C0

Uniqueness

Uniqueness Score: -1.00%

Function 075AA698 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f0b8d87854eb0a61460a7ce504258a80cc699fe47afb8085850cb46b29cd32
Instruction ID: 61ebb726b34ce320fbac629229eceaa064c898cc04e63053371e4806faea0aec
Opcode Fuzzy Hash: e3f0b8d87854eb0a61460a7ce504258a80cc699fe47afb8085850cb46b29cd32
Instruction Fuzzy Hash: 9AF01C71A152489FD741CF64E8447CCBBF0FB05214F1182E7D844D7261D7364641CF00

Uniqueness

Uniqueness Score: -1.00%

Function 075AFC87 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e54d49cec64e912519ab55d9088f27d2bdd8f5f46aa9e7135b2290dbe7111b7
Instruction ID: ed0d7e686c2e57a1acfc4ac2a68f5fe101a8042f4b16a07bc644cf2c3cd3316d
Opcode Fuzzy Hash: 5e54d49cec64e912519ab55d9088f27d2bdd8f5f46aa9e7135b2290dbe7111b7
Instruction Fuzzy Hash: 8AF058B1600B019FC328CF0AD894AAABBF0FF44715B14C86FD84E87A65CA30F841CB10

Uniqueness

Uniqueness Score: -1.00%

Function 075A5708 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67d10ec0b75a1df980e8e229561b1571fa5126a54883ea0e8c0628633439747
Instruction ID: c57030d19b8736417a0df90ba3445bdee1a821853ecf66e1fae65cb6eb8e6f46
Opcode Fuzzy Hash: b67d10ec0b75a1df980e8e229561b1571fa5126a54883ea0e8c0628633439747
Instruction Fuzzy Hash: A7E0DF75C10108AFD744EBE4E849BDDBBF0EB04218F1002BAC804E7340EB309A868782

Uniqueness

Uniqueness Score: -1.00%

Function 075A3698 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879b3199214ad7523762ac3fb22970083a46b6da160d57c8f7744d9804e62a9e
Instruction ID: 1961f121bc7156c874c2982a2ee4fa5826b27d6340fe24847a7a5fde283fc956
Opcode Fuzzy Hash: 879b3199214ad7523762ac3fb22970083a46b6da160d57c8f7744d9804e62a9e
Instruction Fuzzy Hash: 17F030709143489FC740EFA8E855A9DBBB4FF45309F1181EAD804D7361D735D905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 075A1560 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75d3400a0226c2ff5437d12f6103b88d944ebe73a37a481f37ce9ec3e424e82
Instruction ID: 44b82aa01aad5726b6daa35f84360e44b5b863bd62da70e131b37b96cb9fff55
Opcode Fuzzy Hash: f75d3400a0226c2ff5437d12f6103b88d944ebe73a37a481f37ce9ec3e424e82
Instruction Fuzzy Hash: B7D02E2B30012413C320201FA8803EB62CF8BC5922E08803FE406D3340DD2A880641E5

Uniqueness

Uniqueness Score: -1.00%

Function 075A1519 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d384285764753022c2f5e8e26f7f59caeedd21cbe369c7662dacc920cb64ee34
Instruction ID: 3792a39e66d9badc4ace7a5a5cc69dad9b85c08c464c4b68e3ac7a3243fd13b1
Opcode Fuzzy Hash: d384285764753022c2f5e8e26f7f59caeedd21cbe369c7662dacc920cb64ee34
Instruction Fuzzy Hash: CDE092B0D14208AFD700DFA8E44579D7BB5FB09709F0140E6D404A3351D731DA08CA40

Uniqueness

Uniqueness Score: -1.00%

Function 075A5B38 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e985588031ed49c8e9d17f0e8a8e1ac966a62c2d840621ae58d9c5e2b648ce
Instruction ID: b0d6ddc63999b7ff0a0e303b0ce4f137473f47c47d6c59cb17ef3ee8b9dc7921
Opcode Fuzzy Hash: 37e985588031ed49c8e9d17f0e8a8e1ac966a62c2d840621ae58d9c5e2b648ce
Instruction Fuzzy Hash: 3FE0C974D0021DAFCB44EFA8D845AADBBB0FB48311F0086AAE815A3310D7715650DB81

Uniqueness

Uniqueness Score: -1.00%

Function 075A2294 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ffa5459fad0a99ba91130abceafbb7f75557ee500176a1b86b50b57e781df7
Instruction ID: c7f1e3a4669d8569875a5579bc90d2e2b05d065b217e3496e313bfbe9f1df33d
Opcode Fuzzy Hash: e5ffa5459fad0a99ba91130abceafbb7f75557ee500176a1b86b50b57e781df7
Instruction Fuzzy Hash: BDD0A736759224B34608726D54544DF72DEBFC65257444D3BE509C3F20DEA49D0941E3

Uniqueness

Uniqueness Score: -1.00%

Function 075A5960 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627717fae440298a332bbf9f2ed265b34bbfb60928bb044bcd082fe7c3423e47
Instruction ID: f55beccc755dfe5e702148024093b5a64b904a06860e5c7e4beae9e20af0d6e4
Opcode Fuzzy Hash: 627717fae440298a332bbf9f2ed265b34bbfb60928bb044bcd082fe7c3423e47
Instruction Fuzzy Hash: 3FE0C9B4D0021CAFCB44EFE8D904AAEBFB4FB48310F0086AAE854A3314D7715650DF91

Uniqueness

Uniqueness Score: -1.00%

Function 075A36A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e44fa4e352017c414166323444d865dc118d95451c3fe620a14b8cf4538c4f
Instruction ID: c4e36ee6340288fbae9bf023e3e857c9cbf2cc44ec495f1e53e688b68e9eea66
Opcode Fuzzy Hash: 83e44fa4e352017c414166323444d865dc118d95451c3fe620a14b8cf4538c4f
Instruction Fuzzy Hash: 49E0B674E14208AFC744EFA8E444A9DBBB4FB49305F1181EAD80897360D7319A41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 075AA6A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bcb4bcac25841fc8fe1b5a2f71677d6dda038283f790162c1fadbba2642fa3
Instruction ID: 7f63589d81f04259057e6e45547cdb1f021fbc206d57c5c6abf49a7deddb67d2
Opcode Fuzzy Hash: d5bcb4bcac25841fc8fe1b5a2f71677d6dda038283f790162c1fadbba2642fa3
Instruction Fuzzy Hash: 34E09274E20208AFCB80EFA9D448A9DBBF4FB08615F0081EAD808D7360E7359A40CF41

Uniqueness

Uniqueness Score: -1.00%

Function 075A5918 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09311e3d5884059f8b756250e8333585751efa2eb999c40d82f8f729dd37d176
Instruction ID: 6626cd8674d6a4c069563e261db42555b3ddb90bc3c4367a1b777a7628ab5e15
Opcode Fuzzy Hash: 09311e3d5884059f8b756250e8333585751efa2eb999c40d82f8f729dd37d176
Instruction Fuzzy Hash: 7EE09274E11208EFCB40DFA9D545A9DBBF4FB08615F0081EAD909D7360E7359A50CF41

Uniqueness

Uniqueness Score: -1.00%

Function 075A1528 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5b6bc2bf0b4bd2c817068a6a7277d8c17677ecd8a0713eaf140b2eaeb92ffc
Instruction ID: 9a0675f6d6280648c2bd530f52a03828b20da392a8471d086f88c5ae62189848
Opcode Fuzzy Hash: fd5b6bc2bf0b4bd2c817068a6a7277d8c17677ecd8a0713eaf140b2eaeb92ffc
Instruction Fuzzy Hash: 1EE046B0D14208AFCB04DFA8E508A9DBBF4FF4A305F0081EAE80893360D7309A00CF51

Uniqueness

Uniqueness Score: -1.00%

Function 075A5718 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda6ea421e11df3b5477fe641d5a41dbb2ec37e42f42c7bd754bd4f9ef2c30f9
Instruction ID: 3668587159e46889c3e238dcc83f580e255a3bcabbd734675bc2b78110eed55a
Opcode Fuzzy Hash: eda6ea421e11df3b5477fe641d5a41dbb2ec37e42f42c7bd754bd4f9ef2c30f9
Instruction Fuzzy Hash: EEE08C70D00208AFC704EFF8E408B9CBBF4EB04218F5001FAC904A7340EB309A86C781

Uniqueness

Uniqueness Score: -1.00%

Function 075A2FA8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4374dfee6b14bd1de612ed33cad0ee82684199e98caed67a75c4076dc8062472
Instruction ID: 15ae12385be0b1d11bda651a9deab5f930b6d4d6e4965e1170cd7ae12fc5b1a2
Opcode Fuzzy Hash: 4374dfee6b14bd1de612ed33cad0ee82684199e98caed67a75c4076dc8062472
Instruction Fuzzy Hash: 9DE01270D15208EFC754EFB4E50569DB7B5FB84305F1081FAC80893340D7359A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 075ACA70 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8aa3a6e6302521d4047d3d3e4698357de93797917021330538e4f45a968eca
Instruction ID: 073e382ef30c76357de319b2bd196cd3a56e791a3a8bc88ca2f4342757cec993
Opcode Fuzzy Hash: fc8aa3a6e6302521d4047d3d3e4698357de93797917021330538e4f45a968eca
Instruction Fuzzy Hash: 58E0EC70D05218ABC754EFB4A5146ADBBB5BB89305F1081FAD45863240DB359A41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 075A1570 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a932b7e1ae6b5c55a443cf2c77c347e5507b3759fa3a474e1685dd693adb395
Instruction ID: c795eefb4bc56886532b093bde4e985ca3fc534ce2c001dd2e8e07dc56c5507d
Opcode Fuzzy Hash: 7a932b7e1ae6b5c55a443cf2c77c347e5507b3759fa3a474e1685dd693adb395
Instruction Fuzzy Hash: CBC0807F704538134625306F24444FFA6DF4FC5961705457FE50A83344DD759C1181E5

Uniqueness

Uniqueness Score: -1.00%

Function 075A2920 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a26f3b950fa981a589757c86fd705870d469969d48c3599458f8f1bcba58805
Instruction ID: 23204089e365a652d1558d8549dd797fb56b761d56eda44337cbd9ed09f5feeb
Opcode Fuzzy Hash: 2a26f3b950fa981a589757c86fd705870d469969d48c3599458f8f1bcba58805
Instruction Fuzzy Hash: 17E0ECB0D05218EFC755EFB8A50569DBBF4BB85305F1082FAD85853244D7358A41DB81

Uniqueness

Uniqueness Score: -1.00%

Function 075A4D80 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91aa28ab4a83a78a00a924a512ba1646f0f643f97ac41f83eadcd554aa5a938a
Instruction ID: 47b1af28dff5d4afc070fa6e5f962426c21a7b336745238d485cc2f7498c3302
Opcode Fuzzy Hash: 91aa28ab4a83a78a00a924a512ba1646f0f643f97ac41f83eadcd554aa5a938a
Instruction Fuzzy Hash: 7CE0EC70D05208EFC754EFB8E54569DB7B5FB44305F1081BEC81493240D7759A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 075A1F48 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef11580ca31bcf0877ff8153914ec523bbb5cd52ccb45a7311cdea306b8d0d4
Instruction ID: 2a107bd158de3d1e220d21f6e2325578475ee86f9d9b9697a9d8d3ad927c7bb3
Opcode Fuzzy Hash: 5ef11580ca31bcf0877ff8153914ec523bbb5cd52ccb45a7311cdea306b8d0d4
Instruction Fuzzy Hash: 91E0EC728002ADBBCF119E459844BDA7F69EF01664F544066FA582F011C773A86297E1

Uniqueness

Uniqueness Score: -1.00%

Function 075AD008 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afba7e767d207b39acb92ef8aff0ab325ca3717806bfb04ef362d05810ccedcc
Instruction ID: bf8b8345a54af84b2cbac2adb2cec12c5f03e8040e7a82c03fb34d0063fd9527
Opcode Fuzzy Hash: afba7e767d207b39acb92ef8aff0ab325ca3717806bfb04ef362d05810ccedcc
Instruction Fuzzy Hash: 6FE0E27191070CAE8B40FF78D9484AE7BF8BB15210F80C53AE9099A500FA30D2999B81

Uniqueness

Uniqueness Score: -1.00%

Function 075ACE08 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4885a03a744d391f0775f6883faf80312914a60c1f9fd04a859020648df92b4
Instruction ID: 42e9ff5d3097b2f9300c2b83f3ecb5ed05d24e2236bb184475b7a26441698e19
Opcode Fuzzy Hash: c4885a03a744d391f0775f6883faf80312914a60c1f9fd04a859020648df92b4
Instruction Fuzzy Hash: D2D05E70921208AFC704EFB4A40475D7BB4BB04205F5001BEC80453240EB318A55C691

Uniqueness

Uniqueness Score: -1.00%

Function 075AAA64 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd1e09ffac0f0ecc6f3eb8f9f7e4fd6c67f08d102cefd9ec0a10e9addfe6af1
Instruction ID: 534681822c128c215f1d4246d9bd47f06cc7a21252208f9c22b254aaf9a2b300
Opcode Fuzzy Hash: cdd1e09ffac0f0ecc6f3eb8f9f7e4fd6c67f08d102cefd9ec0a10e9addfe6af1
Instruction Fuzzy Hash: 6ED0C934280108EFC780AF14C444CAA7BA6FF29361B108861F9484B731C631E811CA91

Uniqueness

Uniqueness Score: -1.00%

Function 075AFC68 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea06589af9cfc1717168955921bffe86c12e613ad7c866706c2f0114ac3425ce
Instruction ID: 93ded99ded0dfb91ecdaed999fde6ba1a2668f077a22fa1c906666586a6e6cf8
Opcode Fuzzy Hash: ea06589af9cfc1717168955921bffe86c12e613ad7c866706c2f0114ac3425ce
Instruction Fuzzy Hash: C0C09B3232453417D608319DF4165ED76CDD789665F54007BE50EC37415DFA5D4103DE

Uniqueness

Uniqueness Score: -1.00%

Function 075AFCE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a949b7d61440836ce0a13a58e8ad281a4ea43f29abd2614299a5d8055409cea7
Instruction ID: 1ae0fd301154605b9f731882537e4c36cd1dc43ff4e2416cfccac09692755c38
Opcode Fuzzy Hash: a949b7d61440836ce0a13a58e8ad281a4ea43f29abd2614299a5d8055409cea7
Instruction Fuzzy Hash: 54B09B2173413813D508319D74135ED718D97C5965F40007B950D877415DD65D4102DE

Uniqueness

Uniqueness Score: -1.00%

Function 075AAD50 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998888144036a2573afa5a7002754ab579468daa4ce0ede6fe25cf38b674c823
Instruction ID: 13fd9ed7b8953ef6c63d2438a4fb6b818fb818feea99dcba055b399acf237513
Opcode Fuzzy Hash: 998888144036a2573afa5a7002754ab579468daa4ce0ede6fe25cf38b674c823
Instruction Fuzzy Hash: E6D01224C0D7C18FC7229B3489264DAFFA0BEB3200B09D3EF85C04A042DA5A04D5C762

Uniqueness

Uniqueness Score: -1.00%

Function 075A3930 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9563d5f725b2c825a036154db0efa307fd9ee4b7727b11efd907608115fb21
Instruction ID: 8108f70d4c5f97d15bfad853dc8fdeff4f9487b87165dc70a6abace389aa508e
Opcode Fuzzy Hash: 8e9563d5f725b2c825a036154db0efa307fd9ee4b7727b11efd907608115fb21
Instruction Fuzzy Hash: 05C0926B0A4101AAE6682190994BBDA7601ABD1B24F04502AE60959E92D06290A1A5AB

Uniqueness

Uniqueness Score: -1.00%

Function 075A2234 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a009157cc8cbf89a1e4868aba923bc0def270f8eef51efcaa74b69639efa00f
Instruction ID: 64462bdbbbe530cc2da2fa1efe5c8961eee029f5fc62af3b0c7c99b4d8e31b79
Opcode Fuzzy Hash: 8a009157cc8cbf89a1e4868aba923bc0def270f8eef51efcaa74b69639efa00f
Instruction Fuzzy Hash: 1CB012BE298102FEE20437500411FDEF001BFD1B1CF009C263706186608962D420D1BB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 075AA3B8 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

@u1t, xrefs: 075AA5FE

Memory Dump Source

Source File: 00000000.00000002.276782234.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID: @u1t
API String ID: 0-2036309773
Opcode ID: caa5a5e133ea13a581a522d1c34a688c253055b856da62c9bb7a5431ae465fab
Instruction ID: 649eeda047c232f73d6037a67393109c80025280e6f4defabba829225a9227f0
Opcode Fuzzy Hash: caa5a5e133ea13a581a522d1c34a688c253055b856da62c9bb7a5431ae465fab
Instruction Fuzzy Hash: BA919CF0E00216AFCF19CF69C5806AEBBB2BF89200F15C4BAC8156B751D731E941CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 029DE4FC Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266716584.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_s0VxndYXq0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33576d7907a0b4994557f93b2c3955155e005edb5aad01e4131c3c539e693ecf
Instruction ID: 083c2028f12a03698f71f5fda1cc0454a729a0ef5679abdaf0dadb6111758ead
Opcode Fuzzy Hash: 33576d7907a0b4994557f93b2c3955155e005edb5aad01e4131c3c539e693ecf
Instruction Fuzzy Hash: 57A17A32E00209CFCF05DFB5C8445EEBBB6FF88304B15856AE906AB225EB34A955DF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: remcos.exePID: 3908, Parent PID: 3704COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	88
Total number of Limit Nodes:	5

Executed Functions

Function 0AEE7AA0 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 0AEE7F72

Memory Dump Source

Source File: 00000009.00000002.346351421.000000000AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aee0000_remcos.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: f52e010372d4a122f57c70f608ebf7be9d4baaaa2bb5f8cb077743e1837ba7e5
Instruction ID: 40d234519ad6df7149958d3c0c0f2a80d69fefc0023d28d9b68cb13ac20543c8
Opcode Fuzzy Hash: f52e010372d4a122f57c70f608ebf7be9d4baaaa2bb5f8cb077743e1837ba7e5
Instruction Fuzzy Hash: E9A2C375A00628DFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07006988 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77647662dc0444f36433cb7dc0bcdacfeda34d5489869e304ef56b57f833248e
Instruction ID: 64a961eda8fc8f88b6b66ea4046b53216cd7cd2b90e5014ce8ceb1d23796d586
Opcode Fuzzy Hash: 77647662dc0444f36433cb7dc0bcdacfeda34d5489869e304ef56b57f833248e
Instruction Fuzzy Hash: ED526DB0B001159FDB58DF68C884AAD7BF2EF85724F158269E816DB3A0DB35ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 070053B0 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e14be4f93961879754932f0f41e435f80a46c2662dbb1d041e0ad53c1ca7204
Instruction ID: 09c0a901a4d0b35b2e2e4ed12a345464b364af4271c432f673ef5febca6de272
Opcode Fuzzy Hash: 9e14be4f93961879754932f0f41e435f80a46c2662dbb1d041e0ad53c1ca7204
Instruction Fuzzy Hash: CA811374E012099FDB04DFA5DA849DEFBB2FF88311F208529D505BB298E7349A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 070053C0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bbaab15f8256f676055a2d1bcaefe211feba3ac6ba14e6b34437612cbe3ba6f
Instruction ID: 0a792063a98e1f0ab5fd7a435d8be5eecd8a913f8d7e2596972d225c7767de93
Opcode Fuzzy Hash: 4bbaab15f8256f676055a2d1bcaefe211feba3ac6ba14e6b34437612cbe3ba6f
Instruction Fuzzy Hash: D1710374E012098FDB04DFA5DA8499EFBB2FF88311F208529D516B7258E7349A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC0B55 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0ADC0D96

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e1ed91cd19e03b8ecb32c897855fac0ddb517d42c6af8573f4424309459bbbd8
Instruction ID: 3eea4957617717eb6f47fd0c8894a1c2fcf2f20ea79a003c3b63786250f48a6a
Opcode Fuzzy Hash: e1ed91cd19e03b8ecb32c897855fac0ddb517d42c6af8573f4424309459bbbd8
Instruction Fuzzy Hash: B6A18C71D1021ACFDF20CFA8C9817EDBBB2BF48304F5585A9D849A7240EB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC0B60 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0ADC0D96

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f86ea4ea17b741a4a0e8bc3777169e7f3cd5da562ae561e12ee90191e466b5ac
Instruction ID: 852d01b6fe1090adb06d0103b1ff582bfa43a046f0884b9fbf19e3fd55ba13f9
Opcode Fuzzy Hash: f86ea4ea17b741a4a0e8bc3777169e7f3cd5da562ae561e12ee90191e466b5ac
Instruction Fuzzy Hash: 0F917C71D1021ACFDF20CFA8C9817EEBBB2BF48314F558569D819A7240EB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F8B723 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.324398634.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f80000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d2d7307e1d590d9b13938fd78c071b7f0f5a434714549b0fb3c3b51b5c89af
Instruction ID: 2814d1d4c7ac95dba19d3c538dcee79d884e445241e8eeed48458574222bb994
Opcode Fuzzy Hash: 66d2d7307e1d590d9b13938fd78c071b7f0f5a434714549b0fb3c3b51b5c89af
Instruction Fuzzy Hash: 90813870A00B058FD724EF6AD45579ABBF1FF88314F00892DE48ADBB50D774E90A9B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F8B1A0 Relevance: 1.7, APIs: 1, Instructions: 163
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F8B9F1,00000800,00000000,00000000), ref: 00F8BC02

Memory Dump Source

Source File: 00000009.00000002.324398634.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f80000_remcos.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 729da6f139e40999051d2b4320aeac68df6cf103f5bf8b8b2d97479e49bf8afd
Instruction ID: b4cd40a257f862def62aa4ae9bdb89d4ebbdd4a48beae5bd142bedb12c14b055
Opcode Fuzzy Hash: 729da6f139e40999051d2b4320aeac68df6cf103f5bf8b8b2d97479e49bf8afd
Instruction Fuzzy Hash: C66178B1D043088FDB10DFA9C885BDEBBF5EB88324F14812AE815AB751D7749845DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F85B24 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00F85BE1

Memory Dump Source

Source File: 00000009.00000002.324398634.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f80000_remcos.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9857dab315d2bb30e78b9df4d06446d69c6c90f0ddc92c6eba50ceec5fe49910
Instruction ID: 8aed31908eedd7ecdee1591490fbc84dc5005275bc315ba5dadfc06c85d39de3
Opcode Fuzzy Hash: 9857dab315d2bb30e78b9df4d06446d69c6c90f0ddc92c6eba50ceec5fe49910
Instruction Fuzzy Hash: 9641F171C0061CCFDB24DFA9C984BDEBBB1BF89704F248069D408AB651DB746949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F84338 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00F85BE1

Memory Dump Source

Source File: 00000009.00000002.324398634.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f80000_remcos.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 18cdecf96f776339e4e3d101e80a3ed92cc709cc8d426d52f6d1fa73865928c1
Instruction ID: 3c7f55883362ff6e99a31caed5b323d943bb90a90d1f6758ea7efdccb8910428
Opcode Fuzzy Hash: 18cdecf96f776339e4e3d101e80a3ed92cc709cc8d426d52f6d1fa73865928c1
Instruction Fuzzy Hash: EE41F1B1C0061CCBDB24DFA9C984BDEBBB1BF49708F248069D408BB251DB746949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC07C9 Relevance: 1.6, APIs: 1, Instructions: 86
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0ADC08A8

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: afaae9a7e73749417028e40e55e5f9724bc9310d99202b6d7f4aec79d4007e2e
Instruction ID: 1ca05d3931d1c1a9aa96c8f32628c0f5834180efdf93d33e0fc55b14bc9ba807
Opcode Fuzzy Hash: afaae9a7e73749417028e40e55e5f9724bc9310d99202b6d7f4aec79d4007e2e
Instruction Fuzzy Hash: 4F315675900249CFCB10DFA9D8807EEBBB0BF48314F55842AE919A7A51D7799A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC0810 Relevance: 1.6, APIs: 1, Instructions: 80
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0ADC08A8

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7c37425560896bc5d0a36d0fd2188a217adc9db1265677d8c904e8f230c9bffb
Instruction ID: 8075413d03510c47e6cc2ee0fb6e4a9c900f974a40ea1b6c9a5b0025149db2bf
Opcode Fuzzy Hash: 7c37425560896bc5d0a36d0fd2188a217adc9db1265677d8c904e8f230c9bffb
Instruction Fuzzy Hash: 81315871900209DFCB10DFA9D8847DEBBB4FF48324F50842AE918A7A50D7799954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC0818 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0ADC08A8

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f5886de683e30de7200ea4be0bf32ec9249940fac298ef0544b3c691f0f16534
Instruction ID: 405fc4e9ede45266e564ff24a6aad8b9867b44689327d9a5efb80e96a8de4166
Opcode Fuzzy Hash: f5886de683e30de7200ea4be0bf32ec9249940fac298ef0544b3c691f0f16534
Instruction Fuzzy Hash: 7B2126719003499FCB10DFA9C8857DEBBF5FF48314F508429E918A7750D7789A44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC0941 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0ADC09C8

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f006b7fc59f63686177ddf35a1f23374f03740e6146a5b0c74479221b05dd915
Instruction ID: 79d5d970b4954b55bf4c0cdd56ce9e2440beaa10a0c65968e112c930cb1a2cb4
Opcode Fuzzy Hash: f006b7fc59f63686177ddf35a1f23374f03740e6146a5b0c74479221b05dd915
Instruction Fuzzy Hash: 69212571900249DFDB10DFAAC8857EEFBF5FF48324F50842AE918A7650D7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F8D7A4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F8DC1E,?,?,?,?,?), ref: 00F8DCDF

Memory Dump Source

Source File: 00000009.00000002.324398634.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f80000_remcos.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 56630a3901f97d3ca3852f3bfe25b91f3d39a8b29d375e35720e1f981047cb58
Instruction ID: 7c4b8fd7b2579d034fc6928ed3bcb3a7dae48c3ab8480c3bb8187214eeb7ea15
Opcode Fuzzy Hash: 56630a3901f97d3ca3852f3bfe25b91f3d39a8b29d375e35720e1f981047cb58
Instruction Fuzzy Hash: EF21E5B5900249AFDB10CF99D984ADEBBF8FF48324F14801AE915B3750D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC0538 Relevance: 1.6, APIs: 1, Instructions: 64
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0ADC05BE

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 3a9658eb41ebc6ee81c3b0344306a98daab2c53da1fe47776ba6fe579ac5c6ed
Instruction ID: cecedc3389c0f7076ffe6e63f25d6c35e004e2920c85a59b7f76f30aca8d93e7
Opcode Fuzzy Hash: 3a9658eb41ebc6ee81c3b0344306a98daab2c53da1fe47776ba6fe579ac5c6ed
Instruction Fuzzy Hash: 5E212871D102498FDB50DFA9C4857EEBBF4AF48314F54842ED419A7640DB789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC0948 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0ADC09C8

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: df03dab76c239771a1ca782914bd43bb5b53733e39b1319ac99549ea7b3999fc
Instruction ID: 2f02bed98b18bcf047d2f76a725941b9a2fb091ba93ed94bcb88a4b29d239f5e
Opcode Fuzzy Hash: df03dab76c239771a1ca782914bd43bb5b53733e39b1319ac99549ea7b3999fc
Instruction Fuzzy Hash: F52116719003499FCB10DFA9C8817EEBBF5FF48324F54842AE518A7650D7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC0540 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0ADC05BE

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4c397061f375d17581c1d7e8453f3149a1bdc8a5f3769e2e1e959aaef7f96af4
Instruction ID: 59f380e57a145a1babda2db164e3bf020b08330554cc55bf74aac1a156281465
Opcode Fuzzy Hash: 4c397061f375d17581c1d7e8453f3149a1bdc8a5f3769e2e1e959aaef7f96af4
Instruction Fuzzy Hash: 852137719103098FDB10DFAAC4857EEBBF4AB48224F54842ED419A7740DB78AA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F8BB90 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F8B9F1,00000800,00000000,00000000), ref: 00F8BC02

Memory Dump Source

Source File: 00000009.00000002.324398634.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f80000_remcos.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: de5330e276510dc65534bb2bd6dfcc7a568ae0a0c76817d5d1084906880c2d20
Instruction ID: c510c8fd8344c6904f797a43894924baa0e8984e7a874ee5b9145637a0337e05
Opcode Fuzzy Hash: de5330e276510dc65534bb2bd6dfcc7a568ae0a0c76817d5d1084906880c2d20
Instruction Fuzzy Hash: C11129B6D002498FDB10DF9AC844BDEFBF4EB88364F10841AE419A7710C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F8B1B8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F8B9F1,00000800,00000000,00000000), ref: 00F8BC02

Memory Dump Source

Source File: 00000009.00000002.324398634.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f80000_remcos.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4b21395a20bea0b0e9ab8a58b379ae0dd2b8fbee39f35eeaa6809c62bd41b786
Instruction ID: 0220d9dfd9a5845138002a97c4a50c72da0c4f1cfd0b8f7d551b7c83d6ea7e7e
Opcode Fuzzy Hash: 4b21395a20bea0b0e9ab8a58b379ae0dd2b8fbee39f35eeaa6809c62bd41b786
Instruction Fuzzy Hash: D71103B6D002098FDB10DF9AC444BDEFBF4AB98364F10842AE419A7610C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC0710 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0ADC0786

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8a18cc5b102baa0d8903ce8dc7e6967d87835629d50d28e15266f52085d52a4c
Instruction ID: b352ab71f4536f1f9c29377fb9052edcc725b4cff37bf2398d5c0b6ce3c4cb9e
Opcode Fuzzy Hash: 8a18cc5b102baa0d8903ce8dc7e6967d87835629d50d28e15266f52085d52a4c
Instruction Fuzzy Hash: 861144719002498FCB10DFA9C8447EFBBF5AF48324F24841AE429A7650C7799944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC0718 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0ADC0786

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 92e9ddbd298ea161cb89992ff861cf21c64da00e9e7b611fae12d7e893a0b39a
Instruction ID: e1849e91083c23712bc09b012e2d654727a7b049ca4fb17355617609a9f2992d
Opcode Fuzzy Hash: 92e9ddbd298ea161cb89992ff861cf21c64da00e9e7b611fae12d7e893a0b39a
Instruction Fuzzy Hash: 621123729002499BCB10DFAAC845BEFBBF5AB48324F548819E529A7650C779A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC044B Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0ADC04B2

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c2b90393abc211e10b1503d3aa0aea53b3c4ef49e6579a64794ddcbf32f1d5a9
Instruction ID: 729980c535c08dcace1669dd3f7679a82ed5f8249a0344503e00ddda8a83f68a
Opcode Fuzzy Hash: c2b90393abc211e10b1503d3aa0aea53b3c4ef49e6579a64794ddcbf32f1d5a9
Instruction Fuzzy Hash: 221143B19002498FCB20DFA9C4447EFBBF5AB98324F14842ED419A7B50C779A948CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0ADC0450 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0ADC04B2

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7f0a1e3de9f06e0adef12b7fb80ddee6e79b4f638453769d56e9e03d6d5c09ed
Instruction ID: 2a5a0f51f9409cb0005e3b03c9ad098f3595aaf9f80302aac9af202be9bbafe3
Opcode Fuzzy Hash: 7f0a1e3de9f06e0adef12b7fb80ddee6e79b4f638453769d56e9e03d6d5c09ed
Instruction Fuzzy Hash: 601125B19003498BCB10DFAAC4457EFFBF4AB88224F54841DD419A7750DB79A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F8B910 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F8B976

Memory Dump Source

Source File: 00000009.00000002.324398634.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f80000_remcos.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5928a53f8c51bd7ed7b106d7e82dfcf514e70aa41bd7d76cae09f9e674895209
Instruction ID: 47387849c8625796ac0e6aef6e470e0938792d1120fd9111ab74f2ffe5f90a5c
Opcode Fuzzy Hash: 5928a53f8c51bd7ed7b106d7e82dfcf514e70aa41bd7d76cae09f9e674895209
Instruction Fuzzy Hash: 7311E0B6D002498FCB10DF9AD884BDEFBF4AB88324F14851AD869B7711C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0ADCBD50 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0ADCBDAD

Memory Dump Source

Source File: 00000009.00000002.346111387.000000000ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_adc0000_remcos.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 847a73bdbffc5d1aae53eb1a38fec6bb89f6642a43378d1aac2fc7909671a5e3
Instruction ID: dca0334b09f7d21b2752a90582fba1f672c4877abbf9c278668a9934eb141460
Opcode Fuzzy Hash: 847a73bdbffc5d1aae53eb1a38fec6bb89f6642a43378d1aac2fc7909671a5e3
Instruction Fuzzy Hash: CF11D0B58002499FDB10DF9AD885BDEBBF8EB58324F10845AE859A7710D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07000040 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e705abcf6d05366c612e0d5509220b77411066fd477c89b8ffa7100968f72a
Instruction ID: 25b5301eeff1679216907e894072acb9abc8e7bcfe1514c2f5d9cf4ecf379170
Opcode Fuzzy Hash: 88e705abcf6d05366c612e0d5509220b77411066fd477c89b8ffa7100968f72a
Instruction Fuzzy Hash: 69722C31910609CFDB14EF68C898A9DB7B1FF85315F008299D54AAB265FF70AEC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0700ECD8 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6286790e421954537ca9bfe1537cbbf4095fa0da67dad4a4f7f3d943a7cc5c79
Instruction ID: 890605b04da7d9838d133b9b18d0b86bb6cbd769207bb343a7afba2bf0ca1956
Opcode Fuzzy Hash: 6286790e421954537ca9bfe1537cbbf4095fa0da67dad4a4f7f3d943a7cc5c79
Instruction Fuzzy Hash: A4D1CEB0B00106CFEB15AB64C5446AEBBF2FF45364F654AA9D442B72E5EB30D825CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0700E640 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3884ad509a8a3e75d7c64789932006db29d4b0cca2369f48eadc69341817c3
Instruction ID: 93863e24c7d5e4034b7facb2980289d898227559b122b2e9af438a4d960b312a
Opcode Fuzzy Hash: ba3884ad509a8a3e75d7c64789932006db29d4b0cca2369f48eadc69341817c3
Instruction Fuzzy Hash: D8A1D1B5A002059FEB14EBB4D5183AE7BF6EF88364F144969D409AB381DB388D45CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 07002244 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8bc80bd41ee4a76a76246fe6315abf0a70026cd1621f1b58f670ed93a24135c
Instruction ID: bfd25cb15fcaa01cda1a0250a5036a923c98e9aaac55678cb42e2ea8ffd427de
Opcode Fuzzy Hash: c8bc80bd41ee4a76a76246fe6315abf0a70026cd1621f1b58f670ed93a24135c
Instruction Fuzzy Hash: 5F91C2B13006019FEB19EB74C494AAEB3E2AF85324F118A6DE5568B3D0DF34DD06C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0700E9E0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b09f5b7894512e133307b4a23e4ec546970f137eab8952e68293d45392fdc0
Instruction ID: b989eefd4d5f275be51a93a34b4e9992af6eb2ee56d2c11c725bacf0080e80f2
Opcode Fuzzy Hash: 16b09f5b7894512e133307b4a23e4ec546970f137eab8952e68293d45392fdc0
Instruction Fuzzy Hash: F271D3B06002059FEB24AB65D454BAFB7E6EFC4310F148A29E506A77E0CF359946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0700B650 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a359659d66ea2c9e2343044717161342adb46b4a4ad4c685425a4947e1b7cdfa
Instruction ID: 152d80636cb12194a4eebee56ef1cabe984584458b45579543f8d6f604049674
Opcode Fuzzy Hash: a359659d66ea2c9e2343044717161342adb46b4a4ad4c685425a4947e1b7cdfa
Instruction Fuzzy Hash: 5891E5B5A0060A9FDB51CFA8C884ADEB7F1FF48320F148629E92997391D734E955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07003EF0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b3ca8e2d337c14dd7a5c47380892837803c6bac3b44e3c4003262ba7e65c67
Instruction ID: af936d3304ba66a6e4e05bbfe48a654e37aafb4339bf0f69f7759fff3e3af966
Opcode Fuzzy Hash: 42b3ca8e2d337c14dd7a5c47380892837803c6bac3b44e3c4003262ba7e65c67
Instruction Fuzzy Hash: 0A51C0B1B001418FEB24DB64C854BAE77F2EF86324F044669E516DB3D0DB38A902CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 07006370 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6610752ff2eb7a32885de364de93f9a11536bed5771dba3008f32a48d301cc1
Instruction ID: 05c4f8943013da3958e830deb437e82b2ef1f2483aa95dbb2db439cf5b0c365a
Opcode Fuzzy Hash: c6610752ff2eb7a32885de364de93f9a11536bed5771dba3008f32a48d301cc1
Instruction Fuzzy Hash: 87618D74B00219CFDB14DF68D448AAD7BF7AF89621F144169E902AB391DBB2DC11CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0700D868 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee6272baccfe4c195f51acbe293b639621801e870a3f1b7064b69f9d23f5076
Instruction ID: 4b379c0cfd87b1ef6310f3ab767be5705be90f64a48bac6e5dfbf53f189559a9
Opcode Fuzzy Hash: bee6272baccfe4c195f51acbe293b639621801e870a3f1b7064b69f9d23f5076
Instruction Fuzzy Hash: C6811874A00248CFDB04EFA8C49899DBBF1FF49304F1585A9D809AF36ADB71E945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 070036F0 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab58a21597c63304126fd16fa4c3e4100926d127b25a1e3b1862eced15b0ed30
Instruction ID: 8db1ae88c6f7b9a267420b50567f73cd4172631eab11bb604b0f7d38171e04c1
Opcode Fuzzy Hash: ab58a21597c63304126fd16fa4c3e4100926d127b25a1e3b1862eced15b0ed30
Instruction Fuzzy Hash: 2C51D1B5601601DFD719EFB8C09496AB7B6FF86320B5182ADD019CB392DB35EC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07003930 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda0c7acd075dfdc4156f176861a89f45287ca2fb5c67345c9c600798be8d9ea
Instruction ID: b2f27be839a6def3f8a207b883146833a23b824a2592ca88f34fa86cd5bd871a
Opcode Fuzzy Hash: dda0c7acd075dfdc4156f176861a89f45287ca2fb5c67345c9c600798be8d9ea
Instruction Fuzzy Hash: BC5172B1600601DFEB26DF74C484AAAB7F2BF45324F118A2DD5568B3E1DB31E806CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0700395A Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec141cd77f09d33c9be13c18e420ef861ab2158ee98ded1a96565be97d244a6
Instruction ID: 12819c432ff78ac066e4fd12bbc37b88bdfcbf7075a9c2b5e30e4d70bfadcde2
Opcode Fuzzy Hash: dec141cd77f09d33c9be13c18e420ef861ab2158ee98ded1a96565be97d244a6
Instruction Fuzzy Hash: 0B5151B0200605DFEB26DF74C484AAAB7F2BF85324F10862DE5568B3E0DB31E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0700CE48 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ce96befd9038bea70fecd0417586a30483e8ae388d83509590e7c9165db018
Instruction ID: 86a9e0a3f7fcca9467c5bcfc85ed1f9d4e6d306fdd6d907c1e75a15efdc57d82
Opcode Fuzzy Hash: b2ce96befd9038bea70fecd0417586a30483e8ae388d83509590e7c9165db018
Instruction Fuzzy Hash: 92511D74A1060A8FDB04EFA8C8948EEF7B1FF89210F108769E405A7355EB34E985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0700D5C0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa9b69a27eae475e80b7b8df8c6cdfcb699c51c0ff9e7326a015047fa1e1857
Instruction ID: bd1ca860c7946cd40f12d465785ee4fda6672ee3db785311ccb0bad467b2d131
Opcode Fuzzy Hash: bfa9b69a27eae475e80b7b8df8c6cdfcb699c51c0ff9e7326a015047fa1e1857
Instruction Fuzzy Hash: 904171B4B11605CFEB14EFA5E914AAEBBF6AF89310F108529D40997394DB31D801CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0700D531 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a423684cf76be38b1050c67c9f10e4996d8e09582cc8068ce24db7691697993c
Instruction ID: a31b4fd38901399355455c6afe6589a21d10d2e6652d1a52b916fbd60cbb5947
Opcode Fuzzy Hash: a423684cf76be38b1050c67c9f10e4996d8e09582cc8068ce24db7691697993c
Instruction Fuzzy Hash: 5941E5B4B01646DFD714DFA8D5146AEBBF2AF89310F248169D809CB391DB31DD01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07006788 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd8d39913622829bea130e05c5ac32a93f59dfe8dd4a4a7c05324611abf2df7
Instruction ID: 102c10df85f909678baa43a9c5db372a60b1b555b31d9a6d56d1ac2cbaf4a312
Opcode Fuzzy Hash: 1fd8d39913622829bea130e05c5ac32a93f59dfe8dd4a4a7c05324611abf2df7
Instruction Fuzzy Hash: 3241E2B0B04256CFEB15CF68C884A6E7FB6AF85220F0542AAD505CB392DB31D851C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0700CE38 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130129cb1f268aa7135193db8b2873ba3fd6b8683e40a27eb3a06cf21653377c
Instruction ID: edce9c358a720ee89c061e026ec3759beb0ba8ca6eef094003cbc107f1268863
Opcode Fuzzy Hash: 130129cb1f268aa7135193db8b2873ba3fd6b8683e40a27eb3a06cf21653377c
Instruction Fuzzy Hash: DA414F75A0060A8FDB00DF64C8948EDFBB1FF89210B158759D446EB355EB34E985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0700FAD0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5074c49614c88b38f776acd9723185dfbc32f1b7abd93c1fc3639440bf407770
Instruction ID: 5e4e722498d799a8edca110cda259909f01ed0247bc1fcd344052d0059c8f937
Opcode Fuzzy Hash: 5074c49614c88b38f776acd9723185dfbc32f1b7abd93c1fc3639440bf407770
Instruction Fuzzy Hash: EA418DB1A0024A9FDB10DFA9D4446EEBBF5EF48364F148529E805E7740DB38E905DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07006AD7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213fd2818ccebbfe0172a6837333784f6cfe5f2c30089b6983136ca35798ff58
Instruction ID: 1183b058e667379fe594b1a26eb5112ead562149bd6d7b6e8dc195c8368999e8
Opcode Fuzzy Hash: 213fd2818ccebbfe0172a6837333784f6cfe5f2c30089b6983136ca35798ff58
Instruction Fuzzy Hash: 43416B7070011A9FDB04EF64D844AAE7BA7EF84724F048128F9029B794CB79DD66CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0700D050 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69042d3ee723f2975dc833e481dad345d5c6426e9dd58a83a95e727395948f9e
Instruction ID: 4d03ce2ce0bf0746c026dcbccc0f7618adebd265b56aceaec05456e9ba1decfe
Opcode Fuzzy Hash: 69042d3ee723f2975dc833e481dad345d5c6426e9dd58a83a95e727395948f9e
Instruction Fuzzy Hash: 55418535A10609CFCB04EFA8D8848EDF7B5FF89314F00826AE515AB321EB71A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 070036E0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d10619fbbe46f57972f324264307ce87e5c72c95f58122df9439fbb91bf4bf
Instruction ID: fd7ae7ae2154fc30370af72eda56df2641fb191770945ecd8bdd78155e77727f
Opcode Fuzzy Hash: c3d10619fbbe46f57972f324264307ce87e5c72c95f58122df9439fbb91bf4bf
Instruction Fuzzy Hash: 2F418FB5A00601EFD719EFB8C094969B7F2FF45320B5182ACD4199B391CB32EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0700ECC9 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475de33b3c491f33c393df1d2322f6aa7adffbf14084644f051a0f0c92f6046e
Instruction ID: 9cd696df756e546189852de3f010344e632205301982de31f9b1293ba69818e5
Opcode Fuzzy Hash: 475de33b3c491f33c393df1d2322f6aa7adffbf14084644f051a0f0c92f6046e
Instruction Fuzzy Hash: BF414EB0B00149CFDB58EF68C55869DBBF2EF88224F24856ED405AB3A1DB30DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0700D360 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f5ca4d8a23a490f7be519b5af1ecf8263b57028d9fe392c3b96ff5e34545a3
Instruction ID: 532ef9914238bd1a8e8b3f37830a65481c8851c7165d6790cbc9e0a9bccdfcc9
Opcode Fuzzy Hash: e7f5ca4d8a23a490f7be519b5af1ecf8263b57028d9fe392c3b96ff5e34545a3
Instruction Fuzzy Hash: C131ADB1B10219DFDB14EFA9D85449DBBF2FF89210F00862AE501A73A0DB709801CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0700AD80 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8186b5401e25ce176103ed9546feaa81d5740bde4ddba13c6c2a0e8f901151
Instruction ID: d74f7df8bf9670fdcee7255fd025dc0a54795a4179c6eea818718f0bd36a7af4
Opcode Fuzzy Hash: 0a8186b5401e25ce176103ed9546feaa81d5740bde4ddba13c6c2a0e8f901151
Instruction Fuzzy Hash: 253149B67103408FEB25DB64D8915BF7FF6DF81328B1881AAD146D7292CA38ED01C361

Uniqueness

Uniqueness Score: -1.00%

Function 0700E9D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7c5370db8cedb78cdecb84cbab0e77fcf23f9508a0c6be972dd021304739a9
Instruction ID: 0ad84ea381e8998a32c3f5b871b69df893fe8fbbae751f8a87ee7d59d738afb1
Opcode Fuzzy Hash: 3c7c5370db8cedb78cdecb84cbab0e77fcf23f9508a0c6be972dd021304739a9
Instruction Fuzzy Hash: 4131A8B0601205EFEB24EF64C4447AEBBF6FF89210F14892DE516AB391DB74E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07005B78 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00cfeab76d8aef00a32bfe5f6a1364dc92b9290bdc8d3a5fdf80ed4ececc176d
Instruction ID: 93a418a104b644557aac55649e789880c70eb9bb66e547565fb0662cc2115319
Opcode Fuzzy Hash: 00cfeab76d8aef00a32bfe5f6a1364dc92b9290bdc8d3a5fdf80ed4ececc176d
Instruction Fuzzy Hash: D4212870A04244AFD741ABB48C01BEE7FB7DF86350F108066E546DF281DE785D168BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0700D1A0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767e440dcfa2f37c79735ced4e7191ec33187c3ba8a0b9ae0a57eecbd371f07a
Instruction ID: 50b29bdfab9d262e346e85e3aa8e6c67693c5e85482b282ebb1ef69e2bcec9b1
Opcode Fuzzy Hash: 767e440dcfa2f37c79735ced4e7191ec33187c3ba8a0b9ae0a57eecbd371f07a
Instruction Fuzzy Hash: AB314331A10609DFCB04EFA8C4948EDBBB5FF89310F018659E5056B224FB70AA85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0700ADB0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d0a58cd260e11ecefcf235774b5b56f7c9b9370d9d0c74e4d94126474c1f71
Instruction ID: c7b452a0547e33476764d9b3261c68e1e3d7541e153dac209af3fe77b61dea1f
Opcode Fuzzy Hash: f0d0a58cd260e11ecefcf235774b5b56f7c9b9370d9d0c74e4d94126474c1f71
Instruction Fuzzy Hash: 282126B67006118FEB24DA65C9815BFB7EAEBC4328F148569D146937D1C738ED40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0700D1A8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdda2f881d23ae97886588eb61c0aed7df4ffd030075a6c0c893f4477698fac1
Instruction ID: 69a7e65aff54e5b0f3d7918013131a2f7b3d3beb52a0d8f279cb607e90b5506e
Opcode Fuzzy Hash: cdda2f881d23ae97886588eb61c0aed7df4ffd030075a6c0c893f4477698fac1
Instruction Fuzzy Hash: 25312431A10609DFCB04EFA8C854CEDBBB5FF89310F018659E5057B264FB70A989CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0700E548 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09ca97f353acb6d7c439230c82a1343084f210ce46072b2a66b77a621507b32
Instruction ID: 3ba8859e55b7292d32388f6460388d7e805e68c865d0f19068b946d1cce310aa
Opcode Fuzzy Hash: c09ca97f353acb6d7c439230c82a1343084f210ce46072b2a66b77a621507b32
Instruction Fuzzy Hash: 3921D3B8700201AFDB10EFA4E9847AEBBF4EB44312F044A25E805E7380EB74D901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07002134 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab3891034f17ec0b22d3a03bee5283d05bc7c65aa19e1956034da36525c9926
Instruction ID: 9b1ae275a21ebcd68b01eca49cac2245cd105b9dcacc2486415f1f2e1bcd22d1
Opcode Fuzzy Hash: 8ab3891034f17ec0b22d3a03bee5283d05bc7c65aa19e1956034da36525c9926
Instruction Fuzzy Hash: F021BEB4E0010ADFDB54EFA8C898ABEB7F1FF89310F1085699515E73A1DA349942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07004DBA Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3bd1dc967c5844ba84412c08e1567176b9174b3c847d5f1be1fa772946a781
Instruction ID: 6062231ad2d9e4e637f61055a76e1df0db7f911b0b2b62d9ae114cef668c66a8
Opcode Fuzzy Hash: cd3bd1dc967c5844ba84412c08e1567176b9174b3c847d5f1be1fa772946a781
Instruction Fuzzy Hash: 6E21D5B27006818FFA25DA24C840BEE72E5EB86734F05072EE256873D0CF34E941C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 070059A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7f7362f7338e1f5c1a3a05b428f8ee71622d0c7ab4c50b5383cce4043af500
Instruction ID: 4074528ca5c1ce372b04b53740ca741a37e9ad58b23b5a9743b0f3987638b4c9
Opcode Fuzzy Hash: fb7f7362f7338e1f5c1a3a05b428f8ee71622d0c7ab4c50b5383cce4043af500
Instruction Fuzzy Hash: 71214874E002199FDB08CFA9D8846EEBBB2FF89310F14816AD914B7344DB744A15CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07000B80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b274f313c8fc16f8818799582f47b7713e8c3bdf35dfa160004ebf3eb4da938e
Instruction ID: 03718f421328341c100ed9c8e329ca73405884f6b46fc867ee3c063e399cf5ce
Opcode Fuzzy Hash: b274f313c8fc16f8818799582f47b7713e8c3bdf35dfa160004ebf3eb4da938e
Instruction Fuzzy Hash: ED214171A106099FDB10EF6CD84099AFBB4FF49310F54C26AE958A7204FB30A958CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0700E0B4 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187968addd236aac8005838a76149bd0d9f965bc7fbbc08e5013c8db5930fe24
Instruction ID: 197a67b79fac97801eb668a281660e47fac07f1abbd1691c2b2b0e9c576dcb3f
Opcode Fuzzy Hash: 187968addd236aac8005838a76149bd0d9f965bc7fbbc08e5013c8db5930fe24
Instruction Fuzzy Hash: 7621EEB1D0020A9FDB10CF9AD984ADEFBF4FB58324F14852AE924A3210D374A904CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070059B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8ccc4af5a80b0dca9b46777981c790849fd1ac0151578cde16d55da0ceaa2a
Instruction ID: f7e2352cfc1d03e8768c74614963f34713bd282f3c7b0d73abe0349471cfbf1e
Opcode Fuzzy Hash: 8b8ccc4af5a80b0dca9b46777981c790849fd1ac0151578cde16d55da0ceaa2a
Instruction Fuzzy Hash: 4B2127B4E102199FDB04CFA9D884AEEBBF2FB89311F10812AD915B3344DB745A118FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0700E390 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee586a1b29c2b05b30ed020b8fc0c1d1a83e0731154bcc2dad148c3d2e2653d6
Instruction ID: d3f48b179bf62b74c1de52fc1ba65599e9506d716e4a56b7d49344f36d3e8d15
Opcode Fuzzy Hash: ee586a1b29c2b05b30ed020b8fc0c1d1a83e0731154bcc2dad148c3d2e2653d6
Instruction Fuzzy Hash: 5F21D7B0E05246CFD715DF28C050AAEFBF2AF09214F1585AAC414EB7A2D734E842CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 07006360 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c55e721cafe7e1befb5146811c1a7ee903ab3515a3c2f49916d0c3035e74e74
Instruction ID: cc916c163b7ebbadac2d22e86bced4cde7d394b93165bacda86ae9e7be0edf45
Opcode Fuzzy Hash: 0c55e721cafe7e1befb5146811c1a7ee903ab3515a3c2f49916d0c3035e74e74
Instruction Fuzzy Hash: 27216671A00249DFDF04DFA4E849ADDBBF2EF48321F044429E901BB2A0C772AD54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0700E539 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab6f9f47227b64b4b2d75c78ce99e9435ed2f3044a392b20ef04e87e7f8f37d
Instruction ID: 8af1f944c300fe42aafba4b157cdf805dce94f7e57a7976f9ad1afa56f3882c0
Opcode Fuzzy Hash: fab6f9f47227b64b4b2d75c78ce99e9435ed2f3044a392b20ef04e87e7f8f37d
Instruction Fuzzy Hash: 2E11D5747002019FEB20EF54E994A6E7BF4EB44711F084A55E414EB391EB70D900CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0AEEF3F0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.346351421.000000000AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aee0000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f55dae70301b4eb3a23cac7ebc829eafe9b33daa916ed684432bcc14b1d5c78
Instruction ID: 0b492221be2c84c1d69c9237a88044ec161a315b560b7a8d7fb57244eedca044
Opcode Fuzzy Hash: 3f55dae70301b4eb3a23cac7ebc829eafe9b33daa916ed684432bcc14b1d5c78
Instruction Fuzzy Hash: 94118630B001189BCB64EBB588106BFB6E7AF84754F04C16DE916DB780EF7489018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0700E3AC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69484fbc75ef09a225cdaba7f8c53874ce0f7400d9202483916e902e74ece100
Instruction ID: 3eb19fc2b5938826ce1b22476186676276f43b400b298abb760021df9243cb95
Opcode Fuzzy Hash: 69484fbc75ef09a225cdaba7f8c53874ce0f7400d9202483916e902e74ece100
Instruction Fuzzy Hash: 36113DB0E01216CFEB24DF69C444AAEF7F1EF49314F14856AD418AB361D735A902CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0700FD01 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f67a836541dd7749f2a8b78df34e04f4c63a3d8ebf9bd66f106da391d1ac9f
Instruction ID: 8fb64bd9e37de08890b6bfb602c86cc18671c70cdb7dc5f8cd5e1eb1a8adef07
Opcode Fuzzy Hash: f6f67a836541dd7749f2a8b78df34e04f4c63a3d8ebf9bd66f106da391d1ac9f
Instruction Fuzzy Hash: 381142B0E052468FDB64DF69C044AAEFBF1AF49310F19C5AAC458AB361D735E842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07001B60 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5f95ef50a7c1f0e1ecfbc6833c40f3243e6e7978d576749428808ead162dab
Instruction ID: 8574d74524b2ede22356b483f61e4ebf6243e5c7a3848ed64f4e89f8c4b87a98
Opcode Fuzzy Hash: 0f5f95ef50a7c1f0e1ecfbc6833c40f3243e6e7978d576749428808ead162dab
Instruction Fuzzy Hash: 110149753083845FD3215BA8E804A5A7FB5EFC3360F1081ABE085CB396CA388806C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 07002124 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233d516ebcddd1c03d20d384c7e1e18fa81f50fe243c8dae78259e0724d2ea82
Instruction ID: 3bdb05d0f24da4469409f7aa4d110f4c61d8e217e132b81f7637daabf2421e2f
Opcode Fuzzy Hash: 233d516ebcddd1c03d20d384c7e1e18fa81f50fe243c8dae78259e0724d2ea82
Instruction Fuzzy Hash: 600196763516024BF7549728C848AB933D6FB86334F184675E455C73E1CA24D802C691

Uniqueness

Uniqueness Score: -1.00%

Function 07002958 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68dad57acbb0e76af881c38696e2493bffd27b68413952edcf1b3759570ce31f
Instruction ID: 5eb0ea3ca251ce287a54dbee6e9267f10aed58a5bfe93693869ac30b02a2de2e
Opcode Fuzzy Hash: 68dad57acbb0e76af881c38696e2493bffd27b68413952edcf1b3759570ce31f
Instruction Fuzzy Hash: 2A01F5723106024FF765CB28D888BB937E2FBC9220F1841B6D845CB3E2CA24DC02C791

Uniqueness

Uniqueness Score: -1.00%

Function 0700D288 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebea68788f8398cd05a2b4d19986a6a6e96e5a2eeaf39ad04915d42619ca2da6
Instruction ID: 8f658711be21b1ba0100a75d4d7fb3c10b9d5b8c23d16d6b9d04b40d31f299ce
Opcode Fuzzy Hash: ebea68788f8398cd05a2b4d19986a6a6e96e5a2eeaf39ad04915d42619ca2da6
Instruction Fuzzy Hash: F0111B34210A41CFD751DB78D494FA97BE0BF46214F0549AAE2AACB775D770EC058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0700B08C Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad321a2a6f3cf1b1929912b7f3e669cc881d3136415f504899a9ffafd600a09
Instruction ID: 9e93a6323ecc053884811fc45750fb1ecdbdac4c685d6a17ffa854d6c4679232
Opcode Fuzzy Hash: 3ad321a2a6f3cf1b1929912b7f3e669cc881d3136415f504899a9ffafd600a09
Instruction Fuzzy Hash: AC010574210A01CFD750EB68C484BA9B7E4BB09214F14496AE2AACB770D770E8048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0700AE88 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85a82570c907017d8dfe0cbc43edf7da542ba2afe57288f07a5d06c8734a3a1
Instruction ID: c2697b33711a220b5f306402f148bbd40611bf4ded79165cc188eb6b05d7ef43
Opcode Fuzzy Hash: f85a82570c907017d8dfe0cbc43edf7da542ba2afe57288f07a5d06c8734a3a1
Instruction Fuzzy Hash: B3014C75A042449FCB11EF68D4948DEBFB8EFC6310700019BE145DB321DB305D09C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0700DF60 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c3aa0fe2edf6e6e47af33482e6d9d26c7487af8b2ed196cc900d302c63d9ea
Instruction ID: 6ab564559e1a9e852d351fdc54d1f4f5e0313f3c3931a693955f0d300d7b786c
Opcode Fuzzy Hash: 38c3aa0fe2edf6e6e47af33482e6d9d26c7487af8b2ed196cc900d302c63d9ea
Instruction Fuzzy Hash: DFF0BE342053846FC3155BA4E809C977FB9EB82260B15C16AF5458B3A2CA39C802C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 07005B28 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d251be3bc3e84de94921d1c6fa95e94f2b214318615b6bf33ce70fb17fd1be7
Instruction ID: e08915a86841b29a270e158bbfeaaf3f29e1c34f9b53ac3cf781ce96cd60f66e
Opcode Fuzzy Hash: 5d251be3bc3e84de94921d1c6fa95e94f2b214318615b6bf33ce70fb17fd1be7
Instruction Fuzzy Hash: 56F0A470808398AFCB12DFB8D80069DBFF0AF0A320F1446E9D8D4EB252D3311510DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0700FC87 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0833cfe5534daafb6ca0bc0ec4d408a26bfc535c022ac57c4c692dec8f9cc4
Instruction ID: 5f84d16b4e8d52e826686203043360a5894a3a18ea6c84a8b74331f4379ab202
Opcode Fuzzy Hash: ab0833cfe5534daafb6ca0bc0ec4d408a26bfc535c022ac57c4c692dec8f9cc4
Instruction Fuzzy Hash: 78F09070104B028FD329CB56C554961BBF0EF46714B19C8AFD48E87AB2C630B841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0700A698 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f73b5081ce5f82e96bd6416859aebe538284ffad7cbb81074063de29a27ff9
Instruction ID: 18d00735674dd53700749daf46e1ae4ffd14842108797467e4d3d75a86bfbd16
Opcode Fuzzy Hash: f1f73b5081ce5f82e96bd6416859aebe538284ffad7cbb81074063de29a27ff9
Instruction Fuzzy Hash: FAF03074D153449FDB91DFB8D444589BFF0AB06224F1082EAD894DB2A2D7315541DF81

Uniqueness

Uniqueness Score: -1.00%

Function 07002304 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ff830c10aa17ef090d92dde6fadf0d7baa3b321aab105164b0983b313acd15
Instruction ID: ff5577387797378e3133ffec5f9750b047207dc0bc89b123f4c18710e4c81903
Opcode Fuzzy Hash: 86ff830c10aa17ef090d92dde6fadf0d7baa3b321aab105164b0983b313acd15
Instruction Fuzzy Hash: A4E0D8F0B15621CBA31A6739540026EF1857F4AA34F100B7E64169F7D4C932DC4283C0

Uniqueness

Uniqueness Score: -1.00%

Function 07002910 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7aae49609e330292877708353dc18a0fb1f983242473aee785944c4e2ffd82f
Instruction ID: 9beeaaae2d01419a0cf4c0748406ef1161fd91483181e51b31485e153b6a74a5
Opcode Fuzzy Hash: a7aae49609e330292877708353dc18a0fb1f983242473aee785944c4e2ffd82f
Instruction Fuzzy Hash: 82F0E570C09348EBD755EBB8A80429DBBF4AB06315F1043F9D560573C1D3354A06DAE2

Uniqueness

Uniqueness Score: -1.00%

Function 07003DB3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2033b704d5c66374b98445b4d89d6c1d450aec33bbcb5b401df675406b8ac18a
Instruction ID: c340c119c123edd658b17e3ddad87158ae17061fecdc6efcf3c8caf379789577
Opcode Fuzzy Hash: 2033b704d5c66374b98445b4d89d6c1d450aec33bbcb5b401df675406b8ac18a
Instruction Fuzzy Hash: 5BE04FF2F066219BD76A6A24A44235AF796AF49A64F15427ED40ADF380D622CC8283C0

Uniqueness

Uniqueness Score: -1.00%

Function 07002F92 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7406bf55f2c8e25420d87172374f4d5d138c30da457c59463d9245aec6da4ef
Instruction ID: 4685b75544356b2b544c9767d269459c89675e335c466e526cc58eff17999d69
Opcode Fuzzy Hash: a7406bf55f2c8e25420d87172374f4d5d138c30da457c59463d9245aec6da4ef
Instruction Fuzzy Hash: 83E06D70D19348AFD706EFB0A81439EBFB0AB01304F1082EAC80897392D7398A05CF92

Uniqueness

Uniqueness Score: -1.00%

Function 07001519 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a0256f55a2344af97e5ed966817b1254d33431c70b085692d4dc877af00372
Instruction ID: b80091e939d129f0dfa727033cd6a00236d6c328c0f8d510e221de483eae3a7c
Opcode Fuzzy Hash: b9a0256f55a2344af97e5ed966817b1254d33431c70b085692d4dc877af00372
Instruction Fuzzy Hash: 31E06DB1D04218AFD700DFA8D44675D7BF4EB09309F0051E5D40493350D7369A048E81

Uniqueness

Uniqueness Score: -1.00%

Function 07005908 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9795cabb16fc96104c7cfa2bf1c79cbadf28e345f09ff4b2aec7a73b10970e
Instruction ID: 406b0c907d58cafa24b851e13a71d2e4f8b67dc38cd8fabe5c0290bae98a36b9
Opcode Fuzzy Hash: 0e9795cabb16fc96104c7cfa2bf1c79cbadf28e345f09ff4b2aec7a73b10970e
Instruction Fuzzy Hash: 61E0C2B4E01208AFDB80DFA8D48978DBBF0EF08355F1181A9D918D73A0E7358A518F41

Uniqueness

Uniqueness Score: -1.00%

Function 07005952 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c150058ee807cdef38d9f46863705779fbf50f2cce4e687a41ffef1e087be66
Instruction ID: 79a17202f9d6bd471f8ccc3cf40bcbea337409edeb8f611ab3afadd1a5396742
Opcode Fuzzy Hash: 4c150058ee807cdef38d9f46863705779fbf50f2cce4e687a41ffef1e087be66
Instruction Fuzzy Hash: 83F0F8B5C05218AFDB41DFE4D9447ADBFB0FB08311F1186A9E918E3251D7308651DF91

Uniqueness

Uniqueness Score: -1.00%

Function 07005708 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d200708cbde800d57222b64ca80bf2119a3679558656db85004e04199a5df48b
Instruction ID: c8ebc5254e52c92aa0774c96d7fc58fa95160685651f881f591fb9ba8e6a0ac5
Opcode Fuzzy Hash: d200708cbde800d57222b64ca80bf2119a3679558656db85004e04199a5df48b
Instruction Fuzzy Hash: C2E092B0C00108ABEB04EBA4D8097CDBBF0EB04315F5012A9C40497340E73097818B81

Uniqueness

Uniqueness Score: -1.00%

Function 07003698 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ddc882d5bc8ea36f2764373218a8ba99f89e85c0b7e19b327d20a2e00b0a57
Instruction ID: 86e9aed3330763baa63f65c5590adc15e3f944dae929bb1551e41da2ee0d2ef5
Opcode Fuzzy Hash: 67ddc882d5bc8ea36f2764373218a8ba99f89e85c0b7e19b327d20a2e00b0a57
Instruction Fuzzy Hash: 0FF06D70914208AFD740EFA8E845B5EBBB4FB48305F1181E9D904A73A1D731EA05CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0700CDF9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2276f694e7cea3296be3dceb37a44a3e0fe018198942df339265ee62017ad5fa
Instruction ID: b7c01e0e0add344eb3c0e20ec81b4ce3a1b3934a037a844ea88fefaa28043493
Opcode Fuzzy Hash: 2276f694e7cea3296be3dceb37a44a3e0fe018198942df339265ee62017ad5fa
Instruction Fuzzy Hash: 3BE04F70D1A284EFD715AF74A4543997FB0AB02205F2506EAC484C7151DB354A46DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0AEEF398 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.346351421.000000000AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aee0000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85237f5d6bf81c3fad30b7cdbf1c8c48f295c85d8ef1b8ac4e9c1e2c5e75fdff
Instruction ID: a9e38a86614592f1b1be0f161f96467ff4dec5c419274666ef73cbb177ef909d
Opcode Fuzzy Hash: 85237f5d6bf81c3fad30b7cdbf1c8c48f295c85d8ef1b8ac4e9c1e2c5e75fdff
Instruction Fuzzy Hash: 3AF0A535D04208EFCB54DFA8D841A9DBBB1EB48304F10C1AAAC1893350D732AA51DF40

Uniqueness

Uniqueness Score: -1.00%

Function 07001560 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8fa1582d68ca2b6a0844ef7fc796c7e6a823c60934c9e595398f3ae1e58344
Instruction ID: 6dce4afef543e460ca3721e7871c61d20da79c0ae336454fe5b8eac1c18597da
Opcode Fuzzy Hash: 5e8fa1582d68ca2b6a0844ef7fc796c7e6a823c60934c9e595398f3ae1e58344
Instruction Fuzzy Hash: 78D02BBAB0412413D320212E14046AF67CE4BD0622F09056FE015872C18C55880192D5

Uniqueness

Uniqueness Score: -1.00%

Function 07001F38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fd0d639c08b0a96e59d558ce5ebacbbfbbd994234eca5740de7e969e3401f2
Instruction ID: 2dd201832727e724fec881f51703389add05f5bc7aa62e1b11dc9e0efff1b117
Opcode Fuzzy Hash: 58fd0d639c08b0a96e59d558ce5ebacbbfbbd994234eca5740de7e969e3401f2
Instruction Fuzzy Hash: AFE04FB390022CBFEF115F84D845BDB3F98EB11764F194166F6086B191C373A4629BE2

Uniqueness

Uniqueness Score: -1.00%

Function 0700CA60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87678310f0ddb0bba3a1f4a2caeedc98180306d61b93159b83b8401fd34ce22
Instruction ID: a9e357bf3dc7ac812e5e3e98ed7fbdf745bce7e9efaba9ee49e9deb93d6ff743
Opcode Fuzzy Hash: e87678310f0ddb0bba3a1f4a2caeedc98180306d61b93159b83b8401fd34ce22
Instruction Fuzzy Hash: D0E09270D09244AFC745EBB4A81539CBFB0EB46304F1082FAD44493281D7394A41CF82

Uniqueness

Uniqueness Score: -1.00%

Function 07002294 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42bbc91ad7427437578556e4d153082f12510f1edf1f21b147a8e26ab9b08c9
Instruction ID: 8f683edce5b4f5e4a7fb0e7c4785c7c34ca1fe5b262e5d261959f2b6f2eabcf9
Opcode Fuzzy Hash: c42bbc91ad7427437578556e4d153082f12510f1edf1f21b147a8e26ab9b08c9
Instruction Fuzzy Hash: 7FD0A736354224A36608737E94548DFB2DEBBC65357404E3AE209C3F60DDA09D0642E2

Uniqueness

Uniqueness Score: -1.00%

Function 07004D72 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9557d4b3ad6b8f76710d8fae4196d144533880b72e789c58a806248b9a46ef31
Instruction ID: 19550314e496c9fe843a15407522316968a3d4a74555698f86ab0c40b6882ac7
Opcode Fuzzy Hash: 9557d4b3ad6b8f76710d8fae4196d144533880b72e789c58a806248b9a46ef31
Instruction Fuzzy Hash: 03E09AB0C04208AFD754EBB4D84135EBBB0EB44309F1082FEC404A3281D7359A00CB82

Uniqueness

Uniqueness Score: -1.00%

Function 07005B38 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37d07f9698c6ad38e61c8e0302f08c9acb79917e9680a69b04ac2d217a22697
Instruction ID: add9a6140077724f2852ead0dd761f911a4f648114a8818dd8c61b556dbdf1b3
Opcode Fuzzy Hash: f37d07f9698c6ad38e61c8e0302f08c9acb79917e9680a69b04ac2d217a22697
Instruction Fuzzy Hash: 72E0C974D0021DAFCB44EFA8D8456ADBBB1FB48311F0086A9E854A3350D7715650DF91

Uniqueness

Uniqueness Score: -1.00%

Function 07005960 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfa544aa3b78f4ae925d4e83914ef362fbb4a9a962f3aed2aecfc05593023ca
Instruction ID: c22f9432c0732ec47ee3315c7f632a7e39ca70f86bf46a59e0d2ac55d3308ddb
Opcode Fuzzy Hash: edfa544aa3b78f4ae925d4e83914ef362fbb4a9a962f3aed2aecfc05593023ca
Instruction Fuzzy Hash: 90E0A5B4D00218AFCB44EFA8D9047ADBBB4FB48310F1086A9E914A3251D7715650DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0AEEF0F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.346351421.000000000AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aee0000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76de3a528a9f438b277041817560f070fbd2bdf2942cf61163111e9f090a84c
Instruction ID: 92248601ce4aa671d66e0a5114085e8fa87862ada539fe6e3cea76ad74bc6854
Opcode Fuzzy Hash: c76de3a528a9f438b277041817560f070fbd2bdf2942cf61163111e9f090a84c
Instruction Fuzzy Hash: F5E0E534E15208EFCB40DFA8D445A9CBBF0EF48304F5081EAD80893311D730AA40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0AEE8CA8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.346351421.000000000AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aee0000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8284a8b6fd24e6a7bcab63041bbcd4963ed43e548914614d41e6757d5bced2df
Instruction ID: 9618970e85f88ecb799f98233611aa20e90252867f79da9970c7fde9d5628060
Opcode Fuzzy Hash: 8284a8b6fd24e6a7bcab63041bbcd4963ed43e548914614d41e6757d5bced2df
Instruction Fuzzy Hash: 37E09A74E15208EFCB94DFA8D54569DFBF4EB88304F14C1EA981893341D735AA42CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0700A6A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bb71aa90efe1490feec8326a012972c42f5b5752d4bdb826d6a338ea1fef4c
Instruction ID: d8d29f3db729fab77bb223eb28218f0011fe6788ecfb8133c9fab361d7fe1f84
Opcode Fuzzy Hash: 91bb71aa90efe1490feec8326a012972c42f5b5752d4bdb826d6a338ea1fef4c
Instruction Fuzzy Hash: E2E09A74E10208AFC780DFA9D44465DBBF4FB08615F0081EAD808D7360E7359A40CF41

Uniqueness

Uniqueness Score: -1.00%

Function 070036A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5daf7f4d53a37c401f7d65a55da35b0864944f6f9e237bf57b9e7d2eff5ccbbd
Instruction ID: 33097984b08b492ad2a820a830ad89b76e2214054f2468889a4b44649fc0218a
Opcode Fuzzy Hash: 5daf7f4d53a37c401f7d65a55da35b0864944f6f9e237bf57b9e7d2eff5ccbbd
Instruction Fuzzy Hash: 7BE0B674E24208AFC784EFA8E444A5DBBB4FB49315F1182E9D80897360D7319A41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07001528 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2851a238a08130b11f24786577c7791a5e7d8ad300c2362c53a79c3e97693332
Instruction ID: 0bac714e2124ddbf1d8a472ed5864a9bc30f62c41b33ee4ea1be9ece10a00574
Opcode Fuzzy Hash: 2851a238a08130b11f24786577c7791a5e7d8ad300c2362c53a79c3e97693332
Instruction Fuzzy Hash: 26E012B0914218AFC744DFA8E408A5DBBF4AB4A306F0081EAE80897360D7319A40CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0700D000 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ddd412efb793c71b7f504999e75887c8c3b8f83a8b4144a44310de6bc77fd6
Instruction ID: 1fc95bcc32598c6f6839b8c92cd15527b1f00f6a67191520d4df578acd2b4096
Opcode Fuzzy Hash: d4ddd412efb793c71b7f504999e75887c8c3b8f83a8b4144a44310de6bc77fd6
Instruction Fuzzy Hash: E7E04671904608AECB80EFB8D4481AD7FF4BB11220F00CA3AE80CCA001EA31C2D69FD1

Uniqueness

Uniqueness Score: -1.00%

Function 07002B48 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d2d2b8ec7677d35aeabe47e8dee897837924d3693a815c45e564530220c945
Instruction ID: b3c555d4a2972aae09d4cf91a9d9059c210ab3c1df977d96faff67abc8de2fa2
Opcode Fuzzy Hash: 95d2d2b8ec7677d35aeabe47e8dee897837924d3693a815c45e564530220c945
Instruction Fuzzy Hash: C6E0BFB0F0010ACBEF19DA94D8587FEB3B5FB85314F1082594515673D4DA385942CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 07005918 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c12a6c45fff4a799877ccda28057ad0dbbc8daff714cb91ce2bb4df30e0188
Instruction ID: 280452b6f311906a371dda4a50272a810c4a7e699949d2bc8c0a28a005edcb09
Opcode Fuzzy Hash: 13c12a6c45fff4a799877ccda28057ad0dbbc8daff714cb91ce2bb4df30e0188
Instruction Fuzzy Hash: 44E092B4E11208EFCB80DFA9D445B9DBBF4EB08215F0081EAD909D7360E7359A50CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0700D821 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003d34ab76364ac3675ddb611992dea1bd10381ac11bc536af0526122daa4416
Instruction ID: 68570efce8b7bb0fcaf033405d5909ad9ecaa46340fc0e1e47776b69fefc33b9
Opcode Fuzzy Hash: 003d34ab76364ac3675ddb611992dea1bd10381ac11bc536af0526122daa4416
Instruction Fuzzy Hash: 06E0BF706092858FD3098B2C9409341BFA07F56314F0441DBA554CE243E7BAD5C4DBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0AEE7A50 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.346351421.000000000AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aee0000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e929bc998d7d57837f5363f5e68d247639bd07c3531b2ae0a5ab66c9267e8b
Instruction ID: 7073577d20e8b9411170bd16c789994042fddae4dbfc5099cf005d50499e6a33
Opcode Fuzzy Hash: 99e929bc998d7d57837f5363f5e68d247639bd07c3531b2ae0a5ab66c9267e8b
Instruction Fuzzy Hash: 83E0C23185910CEFD710EFF0E4047AE7BE8EB45205F0000E9C00A93220DF314F048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0AEEF0B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.346351421.000000000AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aee0000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bde0a02c717ac724596c6a47f7be801066905bd96b235647018324be483bc9
Instruction ID: 358faf16bbdb8186faa3cfe9692a0eabedef885ef06ebc8d70aa67073c6096b2
Opcode Fuzzy Hash: 24bde0a02c717ac724596c6a47f7be801066905bd96b235647018324be483bc9
Instruction Fuzzy Hash: C5E09274E1520CEFCB54EFA8E54969DBBF4EB88305F5081EA9819A3351D734AA40CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07005718 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db015e9c979bb5c9bf10d5509099ee0bd3202b535e991330697d90a5dee4e25a
Instruction ID: c66b6aaf3b26557c2d9392ab42a69d6d7e119851aeef742ca8a0c42632703ee9
Opcode Fuzzy Hash: db015e9c979bb5c9bf10d5509099ee0bd3202b535e991330697d90a5dee4e25a
Instruction Fuzzy Hash: 77E08C70D00208AFCB44EFF8E808B9CBBF4EB04218F5002E9C80897340EB319B858B82

Uniqueness

Uniqueness Score: -1.00%

Function 07001570 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723780a68f6dc0181124c2800412dfe66b636ff89164d11f1f85cf15c9b0c29f
Instruction ID: b390a99a428dc5645d9370fde2aab538dc0bc6879ad5f4d88c1788bb23d62e54
Opcode Fuzzy Hash: 723780a68f6dc0181124c2800412dfe66b636ff89164d11f1f85cf15c9b0c29f
Instruction Fuzzy Hash: 81C08077704138135625316F24144BFA7CF4EC5A72615457FF509873C59DA58C0192E5

Uniqueness

Uniqueness Score: -1.00%

Function 07002FA8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553459418de41b33acd1727935678353e1246953500d107a9e71991e776d5616
Instruction ID: bd813baea6176f1ac3c3b18ab5b811344683e8adfde4adfca21914a7b968f0f1
Opcode Fuzzy Hash: 553459418de41b33acd1727935678353e1246953500d107a9e71991e776d5616
Instruction Fuzzy Hash: F6E0EC70D05208EFD754EFB4E50469DB7B5FB44305F1082B9C80493340D7359A41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07004D80 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d643bed68686bf9e405f3ebe990a64cbf96f0b7d2f29289e0bd407f7ec4c631f
Instruction ID: eeb243a0e02466d72326e8861333eaefb61d7cb1b8e5c2cc81fbefc9eae340bc
Opcode Fuzzy Hash: d643bed68686bf9e405f3ebe990a64cbf96f0b7d2f29289e0bd407f7ec4c631f
Instruction Fuzzy Hash: 2AE0EC70D05208EFD754EFB8E44569DB7B5EB45305F1082BED81493280D7359A41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0700FCD1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf946ca5a9f1d5c0646115dd7637fb7e4ef8faeaefd4ce66063665fb281c10b
Instruction ID: 2ee80d6cb62e31b4fecc432bfc9bae66b84e2642166119b62fd49275edf143b3
Opcode Fuzzy Hash: cdf946ca5a9f1d5c0646115dd7637fb7e4ef8faeaefd4ce66063665fb281c10b
Instruction Fuzzy Hash: D9D05E1121E2A01BD70673A8A0201E8BF698B47524B0940DBC1C98B193C8850C4283EA

Uniqueness

Uniqueness Score: -1.00%

Function 0700CA70 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c8007ab4555413d848c125be9b9791151e125a08e1e9e2e504a5252d0cd0c9
Instruction ID: e7cda1f409e97650c8dc96c83a41c113ea40eb8457fa244f1f88ccdff17d2812
Opcode Fuzzy Hash: d3c8007ab4555413d848c125be9b9791151e125a08e1e9e2e504a5252d0cd0c9
Instruction Fuzzy Hash: 69E0EC70D05218AFD754EFF4A8152ADBBF4AB49315F1082E9D41853240DB358A54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 07002920 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cd384bd4f5d18cbe73b872ce6506c0538e42ee5dddcc66a676871b6d58dd1f
Instruction ID: 5db4838b7e6343dea4dea2b889f249657d94a57df832f721875b789b9c25b3fd
Opcode Fuzzy Hash: 35cd384bd4f5d18cbe73b872ce6506c0538e42ee5dddcc66a676871b6d58dd1f
Instruction Fuzzy Hash: 34E0ECB0D05218EFD755EFB8A50439DBBF4BB45305F1082E9D45853384D7358A54DA81

Uniqueness

Uniqueness Score: -1.00%

Function 0700D008 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d350e571d8fe5a553a2872f3a0af989435bdc0590c6ea7609f5b808718db0373
Instruction ID: 17570ed91f6c09b2cfb0108be983d1de1b347705ab3310525db0def53d7e59e7
Opcode Fuzzy Hash: d350e571d8fe5a553a2872f3a0af989435bdc0590c6ea7609f5b808718db0373
Instruction Fuzzy Hash: 99E0EC7191460CADDB80EEB4D5445A97BE8AB15220F40C63AE80CDA100EA31D2959B91

Uniqueness

Uniqueness Score: -1.00%

Function 07001F48 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef71177fc3962cce3ec72dcb87ad85865cad8078f636c84e34872c085173d273
Instruction ID: 04da039e6b6a7f11a8f6205bc5b0bdb76f23b42e45e0a7e10ac89633eab397a4
Opcode Fuzzy Hash: ef71177fc3962cce3ec72dcb87ad85865cad8078f636c84e34872c085173d273
Instruction Fuzzy Hash: DDE08C7280022CBFDF119F448844BDB3F58EB01360F144066FA082E052C373A86297E0

Uniqueness

Uniqueness Score: -1.00%

Function 0700CE08 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dba85db6edab95ec28f7dffb73b6e2e7caf8e85f68cd23fe9fe48a6d103b956
Instruction ID: 0521e82f83307dd0140d6de3ac410bee7f36a4b3d40ecf35215530e3dffca37c
Opcode Fuzzy Hash: 7dba85db6edab95ec28f7dffb73b6e2e7caf8e85f68cd23fe9fe48a6d103b956
Instruction Fuzzy Hash: F9D05E70921208AFD744EFB4A80439E7BB8AB00249F5002B9C80453280EB328A84CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0700FC58 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2dd600d83e472db77ae2fe11f6f2f044136429b32de65ac50fd01d75011647
Instruction ID: 5ea7d4ef872d17248e931c1b9aff204e187462c0b07b5322af0e5ece3d7673bf
Opcode Fuzzy Hash: 5a2dd600d83e472db77ae2fe11f6f2f044136429b32de65ac50fd01d75011647
Instruction Fuzzy Hash: 19D0A72131C2A407C3162268A4100593F8AEB4A61571400FBE586C7A42D9950C4143DB

Uniqueness

Uniqueness Score: -1.00%

Function 0700AA64 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81833cac3475ebb2c25985ee40eba202151f680d842e5a6095358dae299055d4
Instruction ID: cb9116885e8bff2f502de6a482d03c62d8e23070e8db78a54e936efa6cc54855
Opcode Fuzzy Hash: 81833cac3475ebb2c25985ee40eba202151f680d842e5a6095358dae299055d4
Instruction Fuzzy Hash: 86D0C934280108EFD700AF14D444C997766FF25366F518552F9494B731CB31E811DAD1

Uniqueness

Uniqueness Score: -1.00%

Function 0700FC68 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f820241f2dae4ac198bb66cc1f05c82797a999bcf61825980818373ba007cc
Instruction ID: 741722d130307177878efd06050029f70f2a1b4224b99c681dcd793013e28e71
Opcode Fuzzy Hash: 98f820241f2dae4ac198bb66cc1f05c82797a999bcf61825980818373ba007cc
Instruction Fuzzy Hash: E8C08C3132013803C6082198B0001AD368E8788625B000027A60A837404DE50C0003DF

Uniqueness

Uniqueness Score: -1.00%

Function 0700FCE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a87cf3b4c5bc25b61d137d636e02b1dca1bafba0fa08e386c48f2a541d4ef1c
Instruction ID: 1f6137a6cc56e2193d05bb16e655bba4f091b065be9048a728657a41bde7c95f
Opcode Fuzzy Hash: 7a87cf3b4c5bc25b61d137d636e02b1dca1bafba0fa08e386c48f2a541d4ef1c
Instruction Fuzzy Hash: 8EB09B2133413417D508319DB4115ED758D87C5975F44017B950D977815DD55D4102DF

Uniqueness

Uniqueness Score: -1.00%

Function 0700AD50 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa429cd835c215b6140503888ceedabc1f2295ce094c98ec21bc23fa25d9da0
Instruction ID: 427d31f625cb66415fc4eedb16d144aa1032a6d55482bbfd450e83d15960903f
Opcode Fuzzy Hash: caa429cd835c215b6140503888ceedabc1f2295ce094c98ec21bc23fa25d9da0
Instruction Fuzzy Hash: 96D012619083808FC3227B259524485BF30FEB7300706539B88C085092E65506A8C752

Uniqueness

Uniqueness Score: -1.00%

Function 0700AA54 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690542d96f245a9c6cf6eacb6216c62f926df463394cb3fee41d3481cc4ffe55
Instruction ID: c63342ad5b4a0c38ba8fd0e1f6eef23769be14deaa9c8fc248bbd769a4d67a65
Opcode Fuzzy Hash: 690542d96f245a9c6cf6eacb6216c62f926df463394cb3fee41d3481cc4ffe55
Instruction Fuzzy Hash: CEC08CA1624708CDE220FB3886004DDB774FF17200F80CF1BE08162360EF2091A886E3

Uniqueness

Uniqueness Score: -1.00%

Function 07002234 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.343347918.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7000000_remcos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462ffc8e003c32e29b895154d546028fa92b191a2dae4dba46aa27ed8122b88c
Instruction ID: 01c31a5df55db40807aae718e0bed4451d1695f451d8199a7357e9222b6e8aaa
Opcode Fuzzy Hash: 462ffc8e003c32e29b895154d546028fa92b191a2dae4dba46aa27ed8122b88c
Instruction Fuzzy Hash: 79B012BE258100FAF20533A04425F9FE101BB92F28F01AD063304146E08961D410D1EB

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report s0VxndYXq0

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remcos.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\s0VxndYXq0.exe.log

C:\Users\user\AppData\Local\Temp\install.bat

C:\Users\user\remcos\remcos.exe

C:\Users\user\remcos\remcos.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
s0VxndYXq0

Function 029DB722 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Function 029D5B24 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 029D4338 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 029DD7A4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 029DBB90 Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON