Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
documents-pdf.exe

Overview

General Information

Sample name:documents-pdf.exe
Analysis ID:1513854
MD5:12d7e4dbcb67711b60c8f626d81c7438
SHA1:4610fe694c6c796ed9ab5cc729519fe3c1fa7629
SHA256:3f0143cb0fdd7f85c55841a713bf4934df3c7f17d1133103b323a5332535852b
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Sample has a suspicious name (potential lure to open the executable)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • documents-pdf.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\documents-pdf.exe" MD5: 12D7E4DBCB67711B60C8F626D81C7438)
    • WerFault.exe (PID: 5496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 956 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1128 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4796 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1136 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6192 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1164 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 320 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1156 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5628 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1212 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5660 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1252 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • yava_explore.exe (PID: 5080 cmdline: "C:\Users\user\AppData\Roaming\yava_explore.exe" MD5: 12D7E4DBCB67711B60C8F626D81C7438)
      • WerFault.exe (PID: 5652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 684 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 2452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 744 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 7060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 776 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 6188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 680 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 344 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 684 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 5408 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 732 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 4444 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 780 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 3356 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 716 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1380 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • yava_explore.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Roaming\yava_explore.exe" MD5: 12D7E4DBCB67711B60C8F626D81C7438)
    • WerFault.exe (PID: 6000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 580 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "198.23.227.212:32583:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yava_explore.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-AYRCHN", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.4507176842.000000000081D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000001F.00000002.2190431886.000000000067C000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0xf30:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000010.00000002.4507148871.00000000007D9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x11a8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000010.00000002.4507176842.0000000000828000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.2128363256.000000000093D000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0xef0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      Click to see the 65 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      16.2.yava_explore.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        16.2.yava_explore.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          16.2.yava_explore.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            16.2.yava_explore.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4b8:$a1: Remcos restarted by watchdog!
            • 0x6ca30:$a3: %02i:%02i:%02i:%03i
            16.2.yava_explore.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
            • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
            • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x6657c:$str_b2: Executing file:
            • 0x675fc:$str_b3: GetDirectListeningPort
            • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x67128:$str_b7: \update.vbs
            • 0x665a4:$str_b9: Downloaded file:
            • 0x66590:$str_b10: Downloading file:
            • 0x66634:$str_b12: Failed to upload file:
            • 0x675c4:$str_b13: StartForward
            • 0x675e4:$str_b14: StopForward
            • 0x67080:$str_b15: fso.DeleteFile "
            • 0x67014:$str_b16: On Error Resume Next
            • 0x670b0:$str_b17: fso.DeleteFolder "
            • 0x66624:$str_b18: Uploaded file:
            • 0x665e4:$str_b19: Unable to delete:
            • 0x67048:$str_b20: while fso.FileExists("
            • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
            Click to see the 103 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\yava_explore.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\documents-pdf.exe, ProcessId: 4508, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-AYRCHN

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: 45 1A 1E 96 A9 D4 3C 95 AF 17 FD 5B DE A4 4D 7F 30 27 5C 99 0B 99 B6 BD 0C 15 58 68 A6 60 CC E1 91 7F F4 9D B4 92 7C F8 78 00 E2 0C DB 17 F7 A0 9C E5 D1 6A 88 72 78 58 90 93 27 75 4C 16 C9 75 BF D2 2E 68 40 8E EA CA 8C F6 95 90 CA 63 00 27 DF B0 13 14 A5 31 2E 8A 42 A0 8B 73 0B A0 58 39 C1 DA , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\yava_explore.exe, ProcessId: 5080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-AYRCHN\exepath

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-19T14:52:35.576605+020020365941Malware Command and Control Activity Detected192.168.2.549720198.23.227.21232583TCP
            2024-09-19T14:52:38.134974+020020365941Malware Command and Control Activity Detected192.168.2.549722198.23.227.21232583TCP
            2024-09-19T14:52:40.698176+020020365941Malware Command and Control Activity Detected192.168.2.549723198.23.227.21232583TCP
            2024-09-19T14:52:43.260126+020020365941Malware Command and Control Activity Detected192.168.2.549725198.23.227.21232583TCP
            2024-09-19T14:52:45.880626+020020365941Malware Command and Control Activity Detected192.168.2.549730198.23.227.21232583TCP
            2024-09-19T14:52:48.466159+020020365941Malware Command and Control Activity Detected192.168.2.549731198.23.227.21232583TCP
            2024-09-19T14:52:51.061897+020020365941Malware Command and Control Activity Detected192.168.2.549733198.23.227.21232583TCP
            2024-09-19T14:52:53.710624+020020365941Malware Command and Control Activity Detected192.168.2.549734198.23.227.21232583TCP
            2024-09-19T14:52:56.432314+020020365941Malware Command and Control Activity Detected192.168.2.549735198.23.227.21232583TCP
            2024-09-19T14:52:59.016129+020020365941Malware Command and Control Activity Detected192.168.2.549736198.23.227.21232583TCP
            2024-09-19T14:53:01.607406+020020365941Malware Command and Control Activity Detected192.168.2.549737198.23.227.21232583TCP
            2024-09-19T14:53:04.312880+020020365941Malware Command and Control Activity Detected192.168.2.549738198.23.227.21232583TCP
            2024-09-19T14:53:06.951779+020020365941Malware Command and Control Activity Detected192.168.2.549739198.23.227.21232583TCP
            2024-09-19T14:53:09.548833+020020365941Malware Command and Control Activity Detected192.168.2.549740198.23.227.21232583TCP
            2024-09-19T14:53:12.136126+020020365941Malware Command and Control Activity Detected192.168.2.549741198.23.227.21232583TCP
            2024-09-19T14:53:14.713699+020020365941Malware Command and Control Activity Detected192.168.2.549742198.23.227.21232583TCP
            2024-09-19T14:53:18.355118+020020365941Malware Command and Control Activity Detected192.168.2.549743198.23.227.21232583TCP
            2024-09-19T14:53:20.917327+020020365941Malware Command and Control Activity Detected192.168.2.549744198.23.227.21232583TCP
            2024-09-19T14:53:23.513235+020020365941Malware Command and Control Activity Detected192.168.2.549746198.23.227.21232583TCP
            2024-09-19T14:53:26.151716+020020365941Malware Command and Control Activity Detected192.168.2.549748198.23.227.21232583TCP
            2024-09-19T14:53:28.751224+020020365941Malware Command and Control Activity Detected192.168.2.549749198.23.227.21232583TCP
            2024-09-19T14:53:31.934813+020020365941Malware Command and Control Activity Detected192.168.2.549750198.23.227.21232583TCP
            2024-09-19T14:53:34.550284+020020365941Malware Command and Control Activity Detected192.168.2.549751198.23.227.21232583TCP
            2024-09-19T14:53:37.159503+020020365941Malware Command and Control Activity Detected192.168.2.549752198.23.227.21232583TCP
            2024-09-19T14:53:39.762402+020020365941Malware Command and Control Activity Detected192.168.2.549753198.23.227.21232583TCP
            2024-09-19T14:53:42.358721+020020365941Malware Command and Control Activity Detected192.168.2.549754198.23.227.21232583TCP
            2024-09-19T14:53:45.058650+020020365941Malware Command and Control Activity Detected192.168.2.549755198.23.227.21232583TCP
            2024-09-19T14:53:47.659026+020020365941Malware Command and Control Activity Detected192.168.2.549756198.23.227.21232583TCP
            2024-09-19T14:53:50.976382+020020365941Malware Command and Control Activity Detected192.168.2.549757198.23.227.21232583TCP
            2024-09-19T14:53:53.528548+020020365941Malware Command and Control Activity Detected192.168.2.549758198.23.227.21232583TCP
            2024-09-19T14:53:56.112794+020020365941Malware Command and Control Activity Detected192.168.2.549759198.23.227.21232583TCP
            2024-09-19T14:53:58.687765+020020365941Malware Command and Control Activity Detected192.168.2.549760198.23.227.21232583TCP
            2024-09-19T14:54:01.308899+020020365941Malware Command and Control Activity Detected192.168.2.549761198.23.227.21232583TCP
            2024-09-19T14:54:03.900262+020020365941Malware Command and Control Activity Detected192.168.2.549762198.23.227.21232583TCP
            2024-09-19T14:54:06.520574+020020365941Malware Command and Control Activity Detected192.168.2.549763198.23.227.21232583TCP
            2024-09-19T14:54:09.028558+020020365941Malware Command and Control Activity Detected192.168.2.549764198.23.227.21232583TCP
            2024-09-19T14:54:11.600523+020020365941Malware Command and Control Activity Detected192.168.2.549765198.23.227.21232583TCP
            2024-09-19T14:54:14.137294+020020365941Malware Command and Control Activity Detected192.168.2.549766198.23.227.21232583TCP
            2024-09-19T14:54:16.547704+020020365941Malware Command and Control Activity Detected192.168.2.549767198.23.227.21232583TCP
            2024-09-19T14:54:18.921513+020020365941Malware Command and Control Activity Detected192.168.2.549768198.23.227.21232583TCP
            2024-09-19T14:54:21.281640+020020365941Malware Command and Control Activity Detected192.168.2.549769198.23.227.21232583TCP
            2024-09-19T14:54:23.627004+020020365941Malware Command and Control Activity Detected192.168.2.549770198.23.227.21232583TCP
            2024-09-19T14:54:25.942626+020020365941Malware Command and Control Activity Detected192.168.2.549771198.23.227.21232583TCP
            2024-09-19T14:54:28.244479+020020365941Malware Command and Control Activity Detected192.168.2.549772198.23.227.21232583TCP
            2024-09-19T14:54:30.534465+020020365941Malware Command and Control Activity Detected192.168.2.549773198.23.227.21232583TCP
            2024-09-19T14:54:32.766687+020020365941Malware Command and Control Activity Detected192.168.2.549774198.23.227.21232583TCP
            2024-09-19T14:54:34.983943+020020365941Malware Command and Control Activity Detected192.168.2.549775198.23.227.21232583TCP
            2024-09-19T14:54:37.153992+020020365941Malware Command and Control Activity Detected192.168.2.549776198.23.227.21232583TCP
            2024-09-19T14:54:39.345124+020020365941Malware Command and Control Activity Detected192.168.2.549777198.23.227.21232583TCP
            2024-09-19T14:54:41.692626+020020365941Malware Command and Control Activity Detected192.168.2.549778198.23.227.21232583TCP
            2024-09-19T14:54:43.826007+020020365941Malware Command and Control Activity Detected192.168.2.549779198.23.227.21232583TCP
            2024-09-19T14:54:46.032560+020020365941Malware Command and Control Activity Detected192.168.2.549780198.23.227.21232583TCP
            2024-09-19T14:54:48.090252+020020365941Malware Command and Control Activity Detected192.168.2.549781198.23.227.21232583TCP
            2024-09-19T14:54:50.180012+020020365941Malware Command and Control Activity Detected192.168.2.549782198.23.227.21232583TCP
            2024-09-19T14:54:52.217806+020020365941Malware Command and Control Activity Detected192.168.2.549783198.23.227.21232583TCP
            2024-09-19T14:54:54.642709+020020365941Malware Command and Control Activity Detected192.168.2.549784198.23.227.21232583TCP
            2024-09-19T14:54:56.677325+020020365941Malware Command and Control Activity Detected192.168.2.549785198.23.227.21232583TCP
            2024-09-19T14:54:58.685180+020020365941Malware Command and Control Activity Detected192.168.2.549786198.23.227.21232583TCP
            2024-09-19T14:55:00.688737+020020365941Malware Command and Control Activity Detected192.168.2.549787198.23.227.21232583TCP
            2024-09-19T14:55:02.965459+020020365941Malware Command and Control Activity Detected192.168.2.549788198.23.227.21232583TCP
            2024-09-19T14:55:05.015293+020020365941Malware Command and Control Activity Detected192.168.2.549789198.23.227.21232583TCP
            2024-09-19T14:55:06.981471+020020365941Malware Command and Control Activity Detected192.168.2.549790198.23.227.21232583TCP
            2024-09-19T14:55:08.922870+020020365941Malware Command and Control Activity Detected192.168.2.549791198.23.227.21232583TCP
            2024-09-19T14:55:11.208960+020020365941Malware Command and Control Activity Detected192.168.2.549792198.23.227.21232583TCP
            2024-09-19T14:55:13.271815+020020365941Malware Command and Control Activity Detected192.168.2.549793198.23.227.21232583TCP
            2024-09-19T14:55:15.266891+020020365941Malware Command and Control Activity Detected192.168.2.549794198.23.227.21232583TCP
            2024-09-19T14:55:17.185810+020020365941Malware Command and Control Activity Detected192.168.2.549795198.23.227.21232583TCP
            2024-09-19T14:55:19.204292+020020365941Malware Command and Control Activity Detected192.168.2.549796198.23.227.21232583TCP
            2024-09-19T14:55:21.534203+020020365941Malware Command and Control Activity Detected192.168.2.549797198.23.227.21232583TCP
            2024-09-19T14:55:23.610667+020020365941Malware Command and Control Activity Detected192.168.2.549798198.23.227.21232583TCP
            2024-09-19T14:55:25.500716+020020365941Malware Command and Control Activity Detected192.168.2.549799198.23.227.21232583TCP
            2024-09-19T14:55:27.392054+020020365941Malware Command and Control Activity Detected192.168.2.549800198.23.227.21232583TCP
            2024-09-19T14:55:29.359496+020020365941Malware Command and Control Activity Detected192.168.2.549801198.23.227.21232583TCP
            2024-09-19T14:55:31.312314+020020365941Malware Command and Control Activity Detected192.168.2.549802198.23.227.21232583TCP
            2024-09-19T14:55:33.140228+020020365941Malware Command and Control Activity Detected192.168.2.549803198.23.227.21232583TCP
            2024-09-19T14:55:34.986705+020020365941Malware Command and Control Activity Detected192.168.2.549804198.23.227.21232583TCP
            2024-09-19T14:55:36.880675+020020365941Malware Command and Control Activity Detected192.168.2.549805198.23.227.21232583TCP
            2024-09-19T14:55:38.812703+020020365941Malware Command and Control Activity Detected192.168.2.549806198.23.227.21232583TCP
            2024-09-19T14:55:40.763845+020020365941Malware Command and Control Activity Detected192.168.2.549807198.23.227.21232583TCP
            2024-09-19T14:55:42.832646+020020365941Malware Command and Control Activity Detected192.168.2.549808198.23.227.21232583TCP
            2024-09-19T14:55:44.707654+020020365941Malware Command and Control Activity Detected192.168.2.549809198.23.227.21232583TCP
            2024-09-19T14:55:46.547911+020020365941Malware Command and Control Activity Detected192.168.2.549810198.23.227.21232583TCP
            2024-09-19T14:55:48.670309+020020365941Malware Command and Control Activity Detected192.168.2.549811198.23.227.21232583TCP
            2024-09-19T14:55:50.560438+020020365941Malware Command and Control Activity Detected192.168.2.549812198.23.227.21232583TCP
            2024-09-19T14:55:52.500913+020020365941Malware Command and Control Activity Detected192.168.2.549813198.23.227.21232583TCP
            2024-09-19T14:55:54.453269+020020365941Malware Command and Control Activity Detected192.168.2.549814198.23.227.21232583TCP
            2024-09-19T14:55:56.361527+020020365941Malware Command and Control Activity Detected192.168.2.549815198.23.227.21232583TCP
            2024-09-19T14:55:58.308418+020020365941Malware Command and Control Activity Detected192.168.2.549816198.23.227.21232583TCP
            2024-09-19T14:56:00.143402+020020365941Malware Command and Control Activity Detected192.168.2.549817198.23.227.21232583TCP
            2024-09-19T14:56:01.983339+020020365941Malware Command and Control Activity Detected192.168.2.549818198.23.227.21232583TCP
            2024-09-19T14:56:03.884617+020020365941Malware Command and Control Activity Detected192.168.2.549819198.23.227.21232583TCP
            2024-09-19T14:56:05.724651+020020365941Malware Command and Control Activity Detected192.168.2.549820198.23.227.21232583TCP
            2024-09-19T14:56:08.068766+020020365941Malware Command and Control Activity Detected192.168.2.549821198.23.227.21232583TCP
            2024-09-19T14:56:09.967988+020020365941Malware Command and Control Activity Detected192.168.2.549822198.23.227.21232583TCP
            2024-09-19T14:56:11.849951+020020365941Malware Command and Control Activity Detected192.168.2.549823198.23.227.21232583TCP
            2024-09-19T14:56:13.701731+020020365941Malware Command and Control Activity Detected192.168.2.549824198.23.227.21232583TCP
            2024-09-19T14:56:15.568650+020020365941Malware Command and Control Activity Detected192.168.2.549825198.23.227.21232583TCP
            2024-09-19T14:56:17.405510+020020365941Malware Command and Control Activity Detected192.168.2.549826198.23.227.21232583TCP
            2024-09-19T14:56:19.265195+020020365941Malware Command and Control Activity Detected192.168.2.549827198.23.227.21232583TCP
            2024-09-19T14:56:21.143403+020020365941Malware Command and Control Activity Detected192.168.2.549828198.23.227.21232583TCP
            2024-09-19T14:56:23.019231+020020365941Malware Command and Control Activity Detected192.168.2.549829198.23.227.21232583TCP
            2024-09-19T14:56:24.688731+020020365941Malware Command and Control Activity Detected192.168.2.549830198.23.227.21232583TCP
            2024-09-19T14:56:26.547301+020020365941Malware Command and Control Activity Detected192.168.2.549831198.23.227.21232583TCP
            2024-09-19T14:56:29.389220+020020365941Malware Command and Control Activity Detected192.168.2.549832198.23.227.21232583TCP
            2024-09-19T14:56:31.369951+020020365941Malware Command and Control Activity Detected192.168.2.549833198.23.227.21232583TCP
            2024-09-19T14:56:33.235479+020020365941Malware Command and Control Activity Detected192.168.2.549834198.23.227.21232583TCP
            2024-09-19T14:56:35.047492+020020365941Malware Command and Control Activity Detected192.168.2.549835198.23.227.21232583TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000000.00000002.2128430234.0000000000981000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "198.23.227.212:32583:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yava_explore.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-AYRCHN", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeReversingLabs: Detection: 76%
            Multi AV Scanner detection for submitted file
            Source: documents-pdf.exeReversingLabs: Detection: 76%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.4507176842.000000000081D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4507176842.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2128430234.0000000000981000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190470825.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: documents-pdf.exe PID: 4508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5080, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5744, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
            Machine Learning detection for sample
            Source: documents-pdf.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00883B2F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00883B2F
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,16_2_004338C8
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021D3B2F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,16_2_021D3B2F
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,31_2_004338C8
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02243B2F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,31_2_02243B2F
            Source: documents-pdf.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: documents-pdf.exe PID: 4508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5080, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5744, type: MEMORYSTR

            Privilege Escalation

            barindex
            Contains functionality to bypass UAC (CMSTPLUA)
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00407538 _wcslen,CoGetObject,16_2_00407538
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00407538 _wcslen,CoGetObject,31_2_00407538
            Source: documents-pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\documents-pdf.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0086C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0086C589
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0085C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0085C5EF
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00859907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00859907
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00858AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00858AAE
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00857ADE FindFirstFileW,FindNextFileW,0_2_00857ADE
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0089EB60 FindFirstFileExA,0_2_0089EB60
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0085BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0085BDD2
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00869DED FindFirstFileW,0_2_00869DED
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_0040928E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_0041C322
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_0040C388
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_004096A0
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_00408847
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00407877 FindFirstFileW,FindNextFileW,16_2_00407877
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0044E8F9 FindFirstFileExA,16_2_0044E8F9
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,16_2_00419B86
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,16_2_0040BD72
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021BC589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_021BC589
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021AC5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_021AC5EF
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021A8AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_021A8AAE
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021A7ADE FindFirstFileW,FindNextFileW,16_2_021A7ADE
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021EEB60 FindFirstFileExA,16_2_021EEB60
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021A9907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_021A9907
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021ABDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_021ABDD2
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021B9DED FindFirstFileW,16_2_021B9DED
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,31_2_0040928E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,31_2_0041C322
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,31_2_0040C388
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,31_2_004096A0
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,31_2_00408847
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00407877 FindFirstFileW,FindNextFileW,31_2_00407877
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0044E8F9 FindFirstFileExA,31_2_0044E8F9
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,31_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,31_2_00419B86
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,31_2_0040BD72
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0222C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,31_2_0222C589
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0221C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,31_2_0221C5EF
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02218AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,31_2_02218AAE
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02217ADE FindFirstFileW,FindNextFileW,31_2_02217ADE
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0225EB60 FindFirstFileExA,31_2_0225EB60
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02219907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,31_2_02219907
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02229DED FindFirstFileW,31_2_02229DED
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0221BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,31_2_0221BDD2
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49720 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49736 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49741 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49722 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49754 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49730 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49752 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49757 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49772 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49766 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49764 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49760 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49776 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49785 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49744 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49799 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49807 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49804 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49740 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49819 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49758 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49767 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49737 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49825 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49826 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49761 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49834 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49816 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49778 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49735 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49832 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49731 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49762 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49769 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49831 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49822 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49828 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49733 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49788 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49725 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49765 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49802 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49784 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49753 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49821 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49781 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49750 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49798 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49824 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49782 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49793 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49739 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49738 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49794 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49746 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49748 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49734 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49835 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49770 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49789 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49768 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49806 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49808 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49756 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49833 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49773 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49817 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49759 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49813 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49783 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49827 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49790 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49830 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49800 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49780 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49805 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49829 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49779 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49810 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49775 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49814 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49795 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49796 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49755 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49791 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49812 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49742 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49797 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49763 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49749 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49809 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49786 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49751 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49723 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49777 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49774 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49792 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49815 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49811 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49823 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49818 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49803 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49820 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49743 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49771 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49787 -> 198.23.227.212:32583
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49801 -> 198.23.227.212:32583
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 198.23.227.212
            Source: global trafficTCP traffic: 192.168.2.5:49720 -> 198.23.227.212:32583
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B411
            Source: yava_explore.exeString found in binary or memory: http://geoplugin.net/json.gp
            Source: documents-pdf.exe, 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, documents-pdf.exe, 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, documents-pdf.exe, 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, yava_explore.exe, 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, yava_explore.exe, 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, yava_explore.exe, 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, yava_explore.exe, 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, yava_explore.exe, 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, yava_explore.exe, 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,16_2_004168FC
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,31_2_004168FC
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: documents-pdf.exe PID: 4508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5080, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5744, type: MEMORYSTR

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.4507176842.000000000081D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4507176842.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2128430234.0000000000981000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190470825.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: documents-pdf.exe PID: 4508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5080, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5744, type: MEMORYSTR

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Contains functionalty to change the wallpaper
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0086CCDA SystemParametersInfoW,0_2_0086CCDA
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0041CA73 SystemParametersInfoW,16_2_0041CA73
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021BCCDA SystemParametersInfoW,16_2_021BCCDA
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0041CA73 SystemParametersInfoW,31_2_0041CA73
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0222CCDA SystemParametersInfoW,31_2_0222CCDA

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0000001F.00000002.2190431886.000000000067C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000010.00000002.4507148871.00000000007D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.2128363256.000000000093D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: Process Memory Space: documents-pdf.exe PID: 4508, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: yava_explore.exe PID: 5080, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: yava_explore.exe PID: 5744, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: documents-pdf.exe
            Sample has a suspicious name (potential lure to open the executable)
            Source: documents-pdf.exeStatic file information: Suspicious name
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,0_2_0041D620
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00863574 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,0_2_00863574
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0086D887 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,0_2_0086D887
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0086BE01 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0086BE01
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0086BE2D OpenProcess,NtResumeProcess,CloseHandle,0_2_0086BE2D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,16_2_0041330D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,16_2_0041D620
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,16_2_0041BBC6
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,16_2_0041BB9A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021B3574 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,16_2_021B3574
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021BD887 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,16_2_021BD887
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021BBE01 OpenProcess,NtSuspendProcess,CloseHandle,16_2_021BBE01
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021BBE2D OpenProcess,NtResumeProcess,CloseHandle,16_2_021BBE2D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,31_2_0041330D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,31_2_0041D620
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,31_2_0041BBC6
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,31_2_0041BB9A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02223574 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,31_2_02223574
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0222D887 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,31_2_0222D887
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0222BE2D OpenProcess,NtResumeProcess,CloseHandle,31_2_0222BE2D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0222BE01 OpenProcess,NtSuspendProcess,CloseHandle,31_2_0222BE01
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00866A5B ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_00866A5B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,16_2_004167EF
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021B6A5B ExitWindowsEx,LoadLibraryA,GetProcAddress,16_2_021B6A5B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,31_2_004167EF
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02226A5B ExitWindowsEx,LoadLibraryA,GetProcAddress,31_2_02226A5B
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0043706A0_2_0043706A
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004140050_2_00414005
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0043E11C0_2_0043E11C
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004541D90_2_004541D9
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004381E80_2_004381E8
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041F18B0_2_0041F18B
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004462700_2_00446270
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0043E34B0_2_0043E34B
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004533AB0_2_004533AB
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0042742E0_2_0042742E
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004375660_2_00437566
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0043E5A80_2_0043E5A8
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004387F00_2_004387F0
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0043797E0_2_0043797E
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004339D70_2_004339D7
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0044DA490_2_0044DA49
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00427AD70_2_00427AD7
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041DBF30_2_0041DBF3
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00427C400_2_00427C40
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00437DB30_2_00437DB3
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00435EEB0_2_00435EEB
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0043DEED0_2_0043DEED
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00426E9F0_2_00426E9F
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_008771060_2_00877106
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0088E1540_2_0088E154
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_008872D10_2_008872D1
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0088E3830_2_0088E383
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0086F3F20_2_0086F3F2
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_008964D70_2_008964D7
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0088E5B20_2_0088E5B2
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_008776950_2_00877695
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_008A36120_2_008A3612
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0088E80F0_2_0088E80F
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00888A570_2_00888A57
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00883C3E0_2_00883C3E
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00877D3E0_2_00877D3E
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00877EA70_2_00877EA7
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0086DE5A0_2_0086DE5A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0043706A16_2_0043706A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0041400516_2_00414005
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0043E11C16_2_0043E11C
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_004541D916_2_004541D9
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_004381E816_2_004381E8
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0041F18B16_2_0041F18B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0044627016_2_00446270
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0043E34B16_2_0043E34B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_004533AB16_2_004533AB
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0042742E16_2_0042742E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0043756616_2_00437566
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0043E5A816_2_0043E5A8
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_004387F016_2_004387F0
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0043797E16_2_0043797E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_004339D716_2_004339D7
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0044DA4916_2_0044DA49
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00427AD716_2_00427AD7
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0041DBF316_2_0041DBF3
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00427C4016_2_00427C40
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00437DB316_2_00437DB3
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00435EEB16_2_00435EEB
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0043DEED16_2_0043DEED
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00426E9F16_2_00426E9F
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021D72D116_2_021D72D1
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021DE38316_2_021DE383
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021BF3F216_2_021BF3F2
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021C710616_2_021C7106
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021DE15416_2_021DE154
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021F361216_2_021F3612
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021C769516_2_021C7695
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021E64D716_2_021E64D7
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021DE5B216_2_021DE5B2
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021D8A5716_2_021D8A57
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021DE80F16_2_021DE80F
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021BDE5A16_2_021BDE5A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021C7EA716_2_021C7EA7
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021D3C3E16_2_021D3C3E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021C7D3E16_2_021C7D3E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0043706A31_2_0043706A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0041400531_2_00414005
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0043E11C31_2_0043E11C
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_004541D931_2_004541D9
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_004381E831_2_004381E8
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0041F18B31_2_0041F18B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0044627031_2_00446270
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0043E34B31_2_0043E34B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_004533AB31_2_004533AB
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0042742E31_2_0042742E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0043756631_2_00437566
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0043E5A831_2_0043E5A8
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_004387F031_2_004387F0
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0043797E31_2_0043797E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_004339D731_2_004339D7
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0044DA4931_2_0044DA49
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00427AD731_2_00427AD7
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0041DBF331_2_0041DBF3
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00427C4031_2_00427C40
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00437DB331_2_00437DB3
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00435EEB31_2_00435EEB
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0043DEED31_2_0043DEED
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00426E9F31_2_00426E9F
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_022472D131_2_022472D1
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0224E38331_2_0224E383
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0222F3F231_2_0222F3F2
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0223710631_2_02237106
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0224E15431_2_0224E154
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0226361231_2_02263612
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0223769531_2_02237695
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_022564D731_2_022564D7
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0224E5B231_2_0224E5B2
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02248A5731_2_02248A57
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0224E80F31_2_0224E80F
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0222DE5A31_2_0222DE5A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02237EA731_2_02237EA7
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02243C3E31_2_02243C3E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02237D3E31_2_02237D3E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 0040417E appears 46 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 02244A68 appears 41 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 022450D7 appears 45 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 00434801 appears 82 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 00457AA8 appears 34 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 00445951 appears 56 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 021D4A68 appears 41 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 00402213 appears 38 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 004052FD appears 32 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 021D50D7 appears 45 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 00434E70 appears 108 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 00401FAB appears 39 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 00411FA2 appears 32 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 00402093 appears 100 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 004020DF appears 40 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 004046F7 appears 34 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 00401E65 appears 69 times
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: String function: 0044854A appears 36 times
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: String function: 00402093 appears 50 times
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: String function: 008850D7 appears 45 times
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: String function: 00434801 appears 41 times
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: String function: 00401E65 appears 35 times
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: String function: 00434E70 appears 54 times
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: String function: 00884A68 appears 41 times
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 956
            Source: documents-pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0000001F.00000002.2190431886.000000000067C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000010.00000002.4507148871.00000000007D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.2128363256.000000000093D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: Process Memory Space: documents-pdf.exe PID: 4508, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: yava_explore.exe PID: 5080, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: yava_explore.exe PID: 5744, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: documents-pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: yava_explore.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@21/71@0/1
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00867BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00867BF4
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,16_2_0041798D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021B7BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,16_2_021B7BF4
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,31_2_0041798D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02227BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,31_2_02227BF4
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
            Source: C:\Users\user\Desktop\documents-pdf.exeFile created: C:\Users\user\AppData\Roaming\yava_explore.exeJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5080
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-AYRCHN
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4508
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5744
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\c452eccd-ea36-4594-9bd5-2567d6421ff9Jump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: Software\0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: Rmc-AYRCHN0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: Exe0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: Exe0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: Rmc-AYRCHN0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: Inj0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: Inj0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: 8SG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: exepath0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: 8SG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: exepath0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: licence0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: dMG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: PSG0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: Administrator0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: User0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: del0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: del0_2_0040EA00
            Source: C:\Users\user\Desktop\documents-pdf.exeCommand line argument: del0_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Software\16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Rmc-AYRCHN16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Exe16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Exe16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Rmc-AYRCHN16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Inj16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Inj16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: 8SG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: exepath16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: 8SG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: exepath16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: licence16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: dMG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PSG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Administrator16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: User16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: del16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: del16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: del16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Software\31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Exe31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Inj31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Inj31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: 8SG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: exepath31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: 8SG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: exepath31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: licence31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: dMG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: PSG31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: Administrator31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: User31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: del31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: del31_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCommand line argument: del31_2_0040EA00
            Source: documents-pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\documents-pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: documents-pdf.exeReversingLabs: Detection: 76%
            Source: C:\Users\user\Desktop\documents-pdf.exeFile read: C:\Users\user\Desktop\documents-pdf.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\documents-pdf.exe "C:\Users\user\Desktop\documents-pdf.exe"
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 956
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1128
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1136
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1164
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1156
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1212
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1252
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Users\user\AppData\Roaming\yava_explore.exe "C:\Users\user\AppData\Roaming\yava_explore.exe"
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1380
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 684
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 744
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 776
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 680
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 684
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 732
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\yava_explore.exe "C:\Users\user\AppData\Roaming\yava_explore.exe"
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 580
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 780
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 716
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Users\user\AppData\Roaming\yava_explore.exe "C:\Users\user\AppData\Roaming\yava_explore.exe" Jump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: msvcr100.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: rstrtmgr.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: ncrypt.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: ntasn1.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: mswsock.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: msvcr100.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: rstrtmgr.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: ncrypt.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: ntasn1.dll
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\documents-pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\documents-pdf.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\documents-pdf.exeUnpacked PE file: 0.2.documents-pdf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeUnpacked PE file: 16.2.yava_explore.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeUnpacked PE file: 31.2.yava_explore.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0045E55D push esi; ret 0_2_0045E566
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0088511D push ecx; ret 0_2_00885130
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_008A73ED push ecx; ret 0_2_008A7400
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00874CA7 push esi; ret 0_2_00874CA9
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_008A7D0F push eax; ret 0_2_008A7D2D
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_009421DF push 016C66B2h; iretd 0_2_00942262
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0094210F push 016C66B2h; iretd 0_2_00942262
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00941425 push FFFFFFF6h; retf 0_2_00941427
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0093F8F2 push cs; ret 0_2_0093F8F5
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_009409BE push eax; retf 0_2_009409C0
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00457186 push ecx; ret 16_2_00457199
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0045E55D push esi; ret 16_2_0045E566
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00457AA8 push eax; ret 16_2_00457AC6
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00434EB6 push ecx; ret 16_2_00434EC9
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_007DE3C7 push 016C66B2h; iretd 16_2_007DE51A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_007DE497 push 016C66B2h; iretd 16_2_007DE51A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_007DD6DD push FFFFFFF6h; retf 16_2_007DD6DF
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_007DBBAA push cs; ret 16_2_007DBBAD
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_007DCC76 push eax; retf 16_2_007DCC78
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021F73ED push ecx; ret 16_2_021F7400
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021D511D push ecx; ret 16_2_021D5130
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021C4CA7 push esi; ret 16_2_021C4CA9
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021F7D0F push eax; ret 16_2_021F7D2D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00457186 push ecx; ret 31_2_00457199
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0045E55D push esi; ret 31_2_0045E566
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00457AA8 push eax; ret 31_2_00457AC6
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00434EB6 push ecx; ret 31_2_00434EC9
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0068114F push 016C66B2h; iretd 31_2_006812A2
            Source: documents-pdf.exeStatic PE information: section name: .text entropy: 7.927410473473771
            Source: yava_explore.exe.0.drStatic PE information: section name: .text entropy: 7.927410473473771
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
            Source: C:\Users\user\Desktop\documents-pdf.exeFile created: C:\Users\user\AppData\Roaming\yava_explore.exeJump to dropped file

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious names
            Source: C:\Users\user\Desktop\documents-pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-AYRCHNJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
            Source: C:\Users\user\Desktop\documents-pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-AYRCHNJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-AYRCHNJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

            Malware Analysis System Evasion

            barindex
            Delayed program exit found
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0085FA49 Sleep,ExitProcess,0_2_0085FA49
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0040F7E2 Sleep,ExitProcess,16_2_0040F7E2
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021AFA49 Sleep,ExitProcess,16_2_021AFA49
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0040F7E2 Sleep,ExitProcess,31_2_0040F7E2
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0221FA49 Sleep,ExitProcess,31_2_0221FA49
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0086AA40
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,16_2_0041A7D9
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,16_2_021BAA40
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,31_2_0041A7D9
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,31_2_0222AA40
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeWindow / User API: threadDelayed 502
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeWindow / User API: threadDelayed 9433
            Source: C:\Users\user\Desktop\documents-pdf.exeEvaded block: after key decisiongraph_0-88372
            Source: C:\Users\user\Desktop\documents-pdf.exeEvaded block: after key decisiongraph_0-88344
            Source: C:\Users\user\Desktop\documents-pdf.exeAPI coverage: 4.1 %
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeAPI coverage: 5.9 %
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeAPI coverage: 3.9 %
            Source: C:\Users\user\AppData\Roaming\yava_explore.exe TID: 5248Thread sleep count: 502 > 30
            Source: C:\Users\user\AppData\Roaming\yava_explore.exe TID: 5248Thread sleep time: -1506000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\yava_explore.exe TID: 5248Thread sleep count: 9433 > 30
            Source: C:\Users\user\AppData\Roaming\yava_explore.exe TID: 5248Thread sleep time: -28299000s >= -30000s
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0086C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0086C589
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0085C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0085C5EF
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00859907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00859907
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00858AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00858AAE
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00857ADE FindFirstFileW,FindNextFileW,0_2_00857ADE
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0089EB60 FindFirstFileExA,0_2_0089EB60
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0085BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0085BDD2
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00869DED FindFirstFileW,0_2_00869DED
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_0040928E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_0041C322
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_0040C388
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_004096A0
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_00408847
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00407877 FindFirstFileW,FindNextFileW,16_2_00407877
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0044E8F9 FindFirstFileExA,16_2_0044E8F9
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,16_2_00419B86
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,16_2_0040BD72
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021BC589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_021BC589
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021AC5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_021AC5EF
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021A8AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_021A8AAE
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021A7ADE FindFirstFileW,FindNextFileW,16_2_021A7ADE
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021EEB60 FindFirstFileExA,16_2_021EEB60
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021A9907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_021A9907
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021ABDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_021ABDD2
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021B9DED FindFirstFileW,16_2_021B9DED
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,31_2_0040928E
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,31_2_0041C322
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,31_2_0040C388
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,31_2_004096A0
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,31_2_00408847
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00407877 FindFirstFileW,FindNextFileW,31_2_00407877
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0044E8F9 FindFirstFileExA,31_2_0044E8F9
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,31_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,31_2_00419B86
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,31_2_0040BD72
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0222C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,31_2_0222C589
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0221C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,31_2_0221C5EF
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02218AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,31_2_02218AAE
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02217ADE FindFirstFileW,FindNextFileW,31_2_02217ADE
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0225EB60 FindFirstFileExA,31_2_0225EB60
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02219907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,31_2_02219907
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02229DED FindFirstFileW,31_2_02229DED
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0221BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,31_2_0221BDD2
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
            Source: Amcache.hve.3.drBinary or memory string: VMware
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: yava_explore.exe, 00000010.00000002.4507176842.0000000000835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: Amcache.hve.3.drBinary or memory string: vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_008935BC mov eax, dword ptr fs:[00000030h]0_2_008935BC
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0085092B mov eax, dword ptr fs:[00000030h]0_2_0085092B
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00850D90 mov eax, dword ptr fs:[00000030h]0_2_00850D90
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0093D7FB push dword ptr fs:[00000030h]0_2_0093D7FB
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00443355 mov eax, dword ptr fs:[00000030h]16_2_00443355
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_007D9AB3 push dword ptr fs:[00000030h]16_2_007D9AB3
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021E35BC mov eax, dword ptr fs:[00000030h]16_2_021E35BC
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021A092B mov eax, dword ptr fs:[00000030h]16_2_021A092B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021A0D90 mov eax, dword ptr fs:[00000030h]16_2_021A0D90
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00443355 mov eax, dword ptr fs:[00000030h]31_2_00443355
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0067C83B push dword ptr fs:[00000030h]31_2_0067C83B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_022535BC mov eax, dword ptr fs:[00000030h]31_2_022535BC
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0221092B mov eax, dword ptr fs:[00000030h]31_2_0221092B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02210D90 mov eax, dword ptr fs:[00000030h]31_2_02210D90
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_004120B2 GetProcessHeap,HeapFree,0_2_004120B2
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_008852A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_008852A3
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00884CF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00884CF1
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0088BDD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0088BDD8
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_0043503C
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00434A8A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0043BB71
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_00434BD8 SetUnhandledExceptionFilter,16_2_00434BD8
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021D52A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_021D52A3
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021D4CF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_021D4CF1
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 16_2_021DBDD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_021DBDD8
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_0043503C
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00434A8A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_0043BB71
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_00434BD8 SetUnhandledExceptionFilter,31_2_00434BD8
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_022452A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_022452A3
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_02244CF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_02244CF1
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: 31_2_0224BDD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_0224BDD8
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe16_2_00412132
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe31_2_00412132
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
            Source: C:\Users\user\Desktop\documents-pdf.exeProcess created: C:\Users\user\AppData\Roaming\yava_explore.exe "C:\Users\user\AppData\Roaming\yava_explore.exe" Jump to behavior
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: EnumSystemLocalesW,0_2_0045201B
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: EnumSystemLocalesW,0_2_004520B6
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetLocaleInfoW,0_2_00452393
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: EnumSystemLocalesW,0_2_00448484
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetLocaleInfoW,0_2_004525C3
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetLocaleInfoW,0_2_0044896D
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetLocaleInfoA,0_2_0040F90C
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: EnumSystemLocalesW,0_2_00451FD0
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: EnumSystemLocalesW,0_2_008A2282
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: EnumSystemLocalesW,0_2_008A2237
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: EnumSystemLocalesW,0_2_008A231D
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetLocaleInfoW,0_2_008A25FA
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: EnumSystemLocalesW,0_2_008986EB
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_008A2723
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_008A28F7
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetLocaleInfoW,0_2_008A282A
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetLocaleInfoW,0_2_00898BD4
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: GetLocaleInfoA,0_2_0085FB73
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_008A1FBF
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,16_2_0045201B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,16_2_004520B6
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,16_2_00452143
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,16_2_00452393
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,16_2_00448484
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,16_2_004524BC
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,16_2_004525C3
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,16_2_00452690
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,16_2_0044896D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoA,16_2_0040F90C
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,16_2_00451D58
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,16_2_00451FD0
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,16_2_021F2237
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,16_2_021F2282
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,16_2_021F231D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,16_2_021E86EB
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,16_2_021F2723
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,16_2_021F25FA
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoA,16_2_021AFB73
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,16_2_021E8BD4
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,16_2_021F282A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,16_2_021F28F7
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,16_2_021F1FBF
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,31_2_0045201B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,31_2_004520B6
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,31_2_00452143
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,31_2_00452393
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,31_2_00448484
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,31_2_004524BC
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,31_2_004525C3
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,31_2_00452690
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,31_2_0044896D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoA,31_2_0040F90C
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,31_2_00451D58
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,31_2_00451FD0
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,31_2_02262237
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,31_2_02262282
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,31_2_0226231D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: EnumSystemLocalesW,31_2_022586EB
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,31_2_02262723
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,31_2_022625FA
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoA,31_2_0221FB73
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,31_2_02258BD4
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetLocaleInfoW,31_2_0226282A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,31_2_022628F7
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,31_2_02261FBF
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041A045 __EH_prolog,73C35D90,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,0_2_0041A045
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: 0_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449210
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.4507176842.000000000081D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4507176842.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2128430234.0000000000981000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190470825.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: documents-pdf.exe PID: 4508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5080, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5744, type: MEMORYSTR
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data16_2_0040BA4D
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data31_2_0040BA4D
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: \key3.db0_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\16_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: \key3.db16_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\31_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: \key3.db31_2_0040BB6B

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Users\user\Desktop\documents-pdf.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-AYRCHNJump to behavior
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-AYRCHN
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-AYRCHN
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.21a0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.3.yava_explore.exe.2290000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.850e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.documents-pdf.exe.22c0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 31.2.yava_explore.exe.2210e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_explore.exe.2220000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.documents-pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_explore.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.4507176842.000000000081D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4507176842.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2128430234.0000000000981000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190470825.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: documents-pdf.exe PID: 4508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5080, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_explore.exe PID: 5744, type: MEMORYSTR
            Source: C:\Users\user\Desktop\documents-pdf.exeCode function: cmd.exe0_2_0040569A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: cmd.exe16_2_0040569A
            Source: C:\Users\user\AppData\Roaming\yava_explore.exeCode function: cmd.exe31_2_0040569A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		11
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts12
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Bypass User Account Control            		3
            Obfuscated Files or Information            		111
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol111
            Input Capture            		2
            Encrypted Channel            		Exfiltration Over Bluetooth1
            Defacement
            Email AddressesDNS ServerDomain Accounts2
            Service Execution            		11
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		12
            Software Packing            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Windows Service            		1
            DLL Side-Loading            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Process Injection            		1
            Bypass User Account Control            		LSA Secrets23
            System Information Discovery            		SSHKeylogging1
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
            Registry Run Keys / Startup Folder            		1
            Masquerading            		Cached Domain Credentials141
            Security Software Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync2
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem1
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
            Process Injection            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1513854 Sample: documents-pdf.exe Startdate: 19/09/2024 Architecture: WINDOWS Score: 100 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 9 other signatures 2->45 7 documents-pdf.exe 1 3 2->7         started        11 yava_explore.exe 2->11         started        process3 file4 33 C:\Users\user\AppData\...\yava_explore.exe, PE32 7->33 dropped 35 C:\Users\...\yava_explore.exe:Zone.Identifier, ASCII 7->35 dropped 47 Contains functionality to bypass UAC (CMSTPLUA) 7->47 49 Detected unpacking (changes PE section rights) 7->49 51 Detected Remcos RAT 7->51 53 6 other signatures 7->53 13 yava_explore.exe 7->13         started        17 WerFault.exe 16 7->17         started        19 WerFault.exe 16 7->19         started        23 6 other processes 7->23 21 WerFault.exe 11->21         started        signatures5 process6 dnsIp7 37 198.23.227.212, 32583, 49720, 49722 AS-COLOCROSSINGUS United States 13->37 55 Multi AV Scanner detection for dropped file 13->55 57 Contains functionality to bypass UAC (CMSTPLUA) 13->57 59 Detected unpacking (changes PE section rights) 13->59 61 5 other signatures 13->61 25 WerFault.exe 13->25         started        27 WerFault.exe 13->27         started        29 WerFault.exe 13->29         started        31 5 other processes 13->31 signatures8 process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            documents-pdf.exe76%ReversingLabsWin32.Backdoor.Remcos
            documents-pdf.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\yava_explore.exe76%ReversingLabsWin32.Backdoor.Remcos

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://upx.sf.net0%URL Reputationsafe
            http://geoplugin.net/json.gp/C0%Avira URL Cloudsafe
            198.23.227.2120%Avira URL Cloudsafe
            http://geoplugin.net/json.gp0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            198.23.227.212true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://geoplugin.net/json.gpyava_explore.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://upx.sf.netAmcache.hve.3.drfalse
            • URL Reputation: safe
            		unknown
            http://geoplugin.net/json.gp/Cdocuments-pdf.exe, 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, documents-pdf.exe, 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, documents-pdf.exe, 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, yava_explore.exe, 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, yava_explore.exe, 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, yava_explore.exe, 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, yava_explore.exe, 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, yava_explore.exe, 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, yava_explore.exe, 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            198.23.227.212
            		unknownUnited States
            		36352AS-COLOCROSSINGUStrue

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1513854
            Start date and time:2024-09-19 14:51:36 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 9m 52s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:40
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:documents-pdf.exe
            Detection:MAL
            Classification:mal100.rans.troj.spyw.expl.evad.winEXE@21/71@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 16
            • Number of non-executed functions: 395
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe
            • Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.42.73.29, 20.189.173.21
            • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: documents-pdf.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            08:52:35API Interceptor2x Sleep call for process: WerFault.exe modified
            08:53:11API Interceptor2987568x Sleep call for process: yava_explore.exe modified
            14:52:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-AYRCHN "C:\Users\user\AppData\Roaming\yava_explore.exe"
            14:52:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-AYRCHN "C:\Users\user\AppData\Roaming\yava_explore.exe"

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            198.23.227.2121kZ9olJiaG.exeGet hashmaliciousRemcosBrowse
              ltlbVjClX9.exeGet hashmaliciousRemcosBrowse

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                AS-COLOCROSSINGUS12hLshsAaV.elfGet hashmaliciousUnknownBrowse
                • 104.168.50.203
                file.exeGet hashmaliciousMetasploitBrowse
                • 23.95.197.200
                SecuriteInfo.com.Exploit.CVE-2017-11882.123.24943.32494.rtfGet hashmaliciousUnknownBrowse
                • 198.23.133.156
                17265825068238c1f4fae0310a1dd9b487dd8dd6291b4cd61b7c813cd66f4593f2833d6c21905.dat-decoded.exeGet hashmaliciousRemcosBrowse
                • 192.3.101.29
                RFQ PO-DF9087.vbsGet hashmaliciousRemcosBrowse
                • 192.3.101.29
                PO_NODF9087.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                • 198.23.133.156
                PO_NODF9087.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                • 198.23.133.156
                RFQ#TLPO15-13.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                • 192.210.214.9
                https://97169.top/Get hashmaliciousUnknownBrowse
                • 107.173.70.90
                PO#4502968189 Packinglist for confirmation.exeGet hashmaliciousRedLineBrowse
                • 198.12.90.244

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents-pdf.ex_132c3f90c2427e70c3b414f4ab5d681b4335ce7d_7df187e0_632309ac-9270-43d4-b5ff-a44cd2199b4b\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):1.030596394938332
                Encrypted:false
                SSDEEP:192:gAvvg5sFu/Dn0GQzujueZrBBRdzuiFpZ24IO8z:FFFu/D0GQzujnzuiFpY4IO8z
                MD5:7751F17CAAE67576CC464442B3BC1B7B
                SHA1:3D71852D4E4E4C123636E4A3007EE89C66909503
                SHA-256:5663BD9294065102A13457A53A6A46FAB5FC3049790EB10B12DB5385D5B4A83E
                SHA-512:029A4D51E5561CEDEA0416A074D60D95CE719C8F22AAF2BF54F169514FF3C652442121FA9D5B3DF316488A8DDC2F76FB0E61E28A75E13EF9600629C521616B25
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.5.2.8.9.4.4.0.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.2.2.3.9.5.3.3.1.6.2.9.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.3.2.3.0.9.a.c.-.9.2.7.0.-.4.3.d.4.-.b.5.f.f.-.a.4.4.c.d.2.1.9.9.b.4.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.e.5.4.1.7.7.-.7.6.9.f.-.4.a.9.b.-.9.9.2.5.-.c.5.a.8.8.e.c.c.e.f.3.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.c.-.0.0.0.1.-.0.0.1.4.-.4.7.6.8.-.4.5.c.7.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.5.7.2.9.0.b.0.c.3.1.9.4.6.3.6.2.2.4.6.d.c.f.f.1.f.7.c.9.b.7.c.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....T.a.r.

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents-pdf.ex_cfc80c997f25668d2898d056462f899fb8aa28_7df187e0_32e697fb-0b74-4f85-8b05-6875d218da58\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9505307192633504
                Encrypted:false
                SSDEEP:192:wY4H5sRu/b/g056rwjueZrB4zuiFpZ24IO8z:wY4yRu/b/756rwjyzuiFpY4IO8z
                MD5:E96D6746A6590D74BC8BA5D4D35E1142
                SHA1:A46AF1B48A25E5B682A3AB6563935C04D3B3F31B
                SHA-256:5ABBBAF10AEAEE143826A822B3A799CB2997A38B176E9CE9A1771BC3DC6EE2D7
                SHA-512:E81AADA86ED3AB8C86E2B587267B297D03421106F9DBF412ACA7E9C56A94E6CD4E0CC138F4473BC9E97464540C7D126B3C9CC0F2FC5BDFDECE128766655450B3
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.4.8.0.9.7.7.3.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.e.6.9.7.f.b.-.0.b.7.4.-.4.f.8.5.-.8.b.0.5.-.6.8.7.5.d.2.1.8.d.a.5.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.b.f.b.1.b.6.-.b.b.7.f.-.4.e.8.c.-.b.6.4.6.-.8.0.b.9.8.f.8.0.5.5.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.c.-.0.0.0.1.-.0.0.1.4.-.4.7.6.8.-.4.5.c.7.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.5.7.2.9.0.b.0.c.3.1.9.4.6.3.6.2.2.4.6.d.c.f.f.1.f.7.c.9.b.7.c.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e...

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents-pdf.ex_cfc80c997f25668d2898d056462f899fb8aa28_7df187e0_3b632368-c7d3-462f-82e8-be7604c5b2ed\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9501496910680404
                Encrypted:false
                SSDEEP:192:R5sGu/b/g056rwjueZrB4zuiFpZ24IO8z:EGu/b/756rwjyzuiFpY4IO8z
                MD5:60C147624B84971E75AA3D284834B6F4
                SHA1:C6FF387CEC53E3EFCBA8481F99998A072213797C
                SHA-256:04705D264F6CAE2E3AF7F564E762F5C4FF77E6DC7CD0CA0A208282EB20FD761D
                SHA-512:0CDDA98C5582F6B95DAF31D03E6D82655D34D40DD8C28ADFC69EB4EC94483DC96798DEC68D46FB6ACBBF010FD4E9813BAB84AA87D48B2F918275870191B992D4
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.5.1.6.7.1.6.0.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.6.3.2.3.6.8.-.c.7.d.3.-.4.6.2.f.-.8.2.e.8.-.b.e.7.6.0.4.c.5.b.2.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.0.6.e.e.f.b.-.0.5.e.3.-.4.c.7.c.-.a.e.9.0.-.5.c.1.4.4.3.0.8.8.c.9.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.c.-.0.0.0.1.-.0.0.1.4.-.4.7.6.8.-.4.5.c.7.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.5.7.2.9.0.b.0.c.3.1.9.4.6.3.6.2.2.4.6.d.c.f.f.1.f.7.c.9.b.7.c.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e...

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents-pdf.ex_cfc80c997f25668d2898d056462f899fb8aa28_7df187e0_6f80c5e1-745a-4e67-a7e5-2d55bf65bea9\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9367508089403652
                Encrypted:false
                SSDEEP:192:Vdb5snu/b/g056rwjueZrBxzuiFpZ24IO8z:Vd+nu/b/756rwjbzuiFpY4IO8z
                MD5:04DEADA1C670CA3780BB155C49B4D4F3
                SHA1:0547135936C529CBB28CABB12B6B3C8F7D87D7D8
                SHA-256:3FA7B9A30EE2628B256CB643EA4EC206730468970D6081662B8700347F28DC8F
                SHA-512:28EF1E367D39D499EB2BBA6F4168ACA2B3202DB76E5EC1BE571BAB281B00A7AC19D91A884DC4B76756278DF58EF10EA52DE0DCEB25273A88BD5A25EF20121CBE
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.4.7.0.5.6.8.3.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.8.0.c.5.e.1.-.7.4.5.a.-.4.e.6.7.-.a.7.e.5.-.2.d.5.5.b.f.6.5.b.e.a.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.5.7.1.4.7.d.-.8.4.8.8.-.4.4.2.d.-.b.3.8.9.-.b.3.6.d.0.3.5.3.2.c.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.c.-.0.0.0.1.-.0.0.1.4.-.4.7.6.8.-.4.5.c.7.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.5.7.2.9.0.b.0.c.3.1.9.4.6.3.6.2.2.4.6.d.c.f.f.1.f.7.c.9.b.7.c.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e...

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents-pdf.ex_cfc80c997f25668d2898d056462f899fb8aa28_7df187e0_8e65b51d-8cf7-49c7-800e-1c2970e61967\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9504441605903092
                Encrypted:false
                SSDEEP:192:YY5sIu/b/g056rwjueZrB4zuiFpZ24IO8z:QIu/b/756rwjyzuiFpY4IO8z
                MD5:3BE85DC98B012C7EE4AE5D71364EFF8F
                SHA1:721B0C73578E57C38280C9D9062A74E6A7295C7A
                SHA-256:87836A674DD9DD24351EE48100B6AF6581D65935E9306E01FCD7515E3E2766AC
                SHA-512:E09309B073675538128F56F5F27CB35295B8099F0BF5C8EDAFB791023317F02A0E9AE96B5209E183F91815E63D3EF6833DCB700B25F0CC8684139D24A653A2DF
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.5.2.2.4.4.9.4.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.6.5.b.5.1.d.-.8.c.f.7.-.4.9.c.7.-.8.0.0.e.-.1.c.2.9.7.0.e.6.1.9.6.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.d.c.2.c.2.2.-.a.1.5.6.-.4.5.2.b.-.8.6.6.1.-.5.6.9.1.0.b.3.4.f.1.1.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.c.-.0.0.0.1.-.0.0.1.4.-.4.7.6.8.-.4.5.c.7.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.5.7.2.9.0.b.0.c.3.1.9.4.6.3.6.2.2.4.6.d.c.f.f.1.f.7.c.9.b.7.c.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e...

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents-pdf.ex_cfc80c997f25668d2898d056462f899fb8aa28_7df187e0_b85bd28c-fc1d-4f9b-b7a4-3c5ec333f682\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9500659452611556
                Encrypted:false
                SSDEEP:192:/15siu/b/g056rwjueZrB4zuiFpZ24IO8z:Yiu/b/756rwjyzuiFpY4IO8z
                MD5:FDF17C5E3722879A85BF231C1FDCAB0F
                SHA1:74A80A56A75C355E04AE872CCD084C439F58280B
                SHA-256:21A994E9E63DAB729607366E1BCCCA5A12965BB2BA2CF42D8A32B2B8E066479A
                SHA-512:22011C67ACA77D474B9FA3D37DDD4B51EE61527BE3132115AB46CCFC503811B3F35F1F33A0C23120430C9BCB9B1D7F3B8D21991E8BF2A4056E0D7FE61EE81962
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.4.9.7.9.0.4.7.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.5.b.d.2.8.c.-.f.c.1.d.-.4.f.9.b.-.b.7.a.4.-.3.c.5.e.c.3.3.3.f.6.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.2.7.5.d.c.8.-.4.a.4.0.-.4.8.4.2.-.8.3.d.d.-.8.f.a.0.5.f.d.e.0.f.9.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.c.-.0.0.0.1.-.0.0.1.4.-.4.7.6.8.-.4.5.c.7.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.5.7.2.9.0.b.0.c.3.1.9.4.6.3.6.2.2.4.6.d.c.f.f.1.f.7.c.9.b.7.c.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e...

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents-pdf.ex_cfc80c997f25668d2898d056462f899fb8aa28_7df187e0_bcf8e420-8032-401a-a331-87184cff83cf\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9504062272490045
                Encrypted:false
                SSDEEP:192:TK5s7u/b/g056rwjueZrB4zuiFpZ24IO8z:L7u/b/756rwjyzuiFpY4IO8z
                MD5:76DAFC83A8B9AEDEF6E792CB3FB0C5D1
                SHA1:BA29068127D13373E30F2B46453BBEEA2DE6E159
                SHA-256:C2D7B688F409AFDDADEB2A21F269A1630251229495435759271A4A0035A2AC7A
                SHA-512:5D85569531BE21241AF8C0F060592C0E749E5088EC58BB2D607C1A8905C8CA0373BF476C2374BA2F61741ACF15C70B5BB9B9D582AEE4BB62B50350889DE12B50
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.5.0.3.9.0.8.5.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.f.8.e.4.2.0.-.8.0.3.2.-.4.0.1.a.-.a.3.3.1.-.8.7.1.8.4.c.f.f.8.3.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.c.6.3.3.3.0.-.b.1.4.e.-.4.b.2.7.-.b.6.4.8.-.8.d.f.2.6.d.1.4.9.4.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.c.-.0.0.0.1.-.0.0.1.4.-.4.7.6.8.-.4.5.c.7.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.5.7.2.9.0.b.0.c.3.1.9.4.6.3.6.2.2.4.6.d.c.f.f.1.f.7.c.9.b.7.c.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e...

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_documents-pdf.ex_cfc80c997f25668d2898d056462f899fb8aa28_7df187e0_ea881abb-e09c-4ac1-a496-7fb64dca8163\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:modified
                Size (bytes):65536
                Entropy (8bit):0.950416810148443
                Encrypted:false
                SSDEEP:192:r8y5s3u/b/g056rwjueZrB4zuiFpZ24IO8z:YX3u/b/756rwjyzuiFpY4IO8z
                MD5:6618E8059643DBF95FD683E1A46C38EC
                SHA1:74A89E24F5BC62BF2363CF458DFAEF85BFF394EF
                SHA-256:7A61310E95DD2FC58E5683D658E16D9A56EF776438B5DDA846CFE35733C6F39B
                SHA-512:57955C6E5CBFD00907612F3F0AF9C2790414A2E34BFB1856CD8448F4F38ED355A207998F8C2D9F7564EC3E041E754B2C4F1D3F2E564F389C7729D821FBA1DF8D
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.4.9.1.9.8.9.6.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.8.8.1.a.b.b.-.e.0.9.c.-.4.a.c.1.-.a.4.9.6.-.7.f.b.6.4.d.c.a.8.1.6.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.a.5.7.4.4.b.-.1.5.1.9.-.4.6.0.1.-.b.5.2.d.-.5.d.6.2.e.7.1.5.c.2.d.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.c.-.0.0.0.1.-.0.0.1.4.-.4.7.6.8.-.4.5.c.7.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.5.7.2.9.0.b.0.c.3.1.9.4.6.3.6.2.2.4.6.d.c.f.f.1.f.7.c.9.b.7.c.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.d.o.c.u.m.e.n.t.s.-.p.d.f...e.x.e...

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_explore.exe_63b09e81eb74d74ed64ff798a792a6b387e13_21dfad5a_05b7cfa4-2c95-4af2-a3df-8e61b0d16ac2\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9179198987342558
                Encrypted:false
                SSDEEP:192:n5bu5I/p/g0JsAnbcA/jueZr3uzuiFpZ24IO8N:U5I/p/7JsAnbcA/jyzuiFpY4IO8N
                MD5:44A19BFAD682153E792BAAAA118FFEEC
                SHA1:2A92F1FD9F7F56851656ECAF04652C2EDE3C8DA7
                SHA-256:6A2DBECC757B86941EBDCACE0A2C5B9B068C0ED187C29B509CBF04D7C5365075
                SHA-512:6CD85CE763FDEEAA5AA7F7A9A8313A79AFC6A001B90BA5DD9957983339663CBA888DD988CB1BA4EDCEEE7EB2ED939FDAF4ACC02E781F4DD2254A8D00B93E468A
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.6.0.5.9.5.8.3.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.b.7.c.f.a.4.-.2.c.9.5.-.4.a.f.2.-.a.3.d.f.-.8.e.6.1.b.0.d.1.6.a.c.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.6.0.f.1.7.e.-.a.7.7.8.-.4.5.1.0.-.9.9.3.f.-.3.c.d.3.3.0.a.a.1.6.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.d.8.-.0.0.0.1.-.0.0.1.4.-.8.4.c.d.-.1.b.c.b.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.7.b.f.c.9.3.d.7.9.1.e.9.a.0.e.a.7.3.4.b.f.9.c.5.6.e.8.3.7.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....B.o.

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_explore.exe_63b09e81eb74d74ed64ff798a792a6b387e13_21dfad5a_106c26f9-3440-48b4-9afb-29c0121e8f8f\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9179600375158241
                Encrypted:false
                SSDEEP:192:ubuvI/p/g0JsAnbcA/jueZr3uzuiFpZ24IO8N:zvI/p/7JsAnbcA/jyzuiFpY4IO8N
                MD5:C694A173B05AF6D1A5097EE0F839ED7A
                SHA1:AB01305CD1D783AE8C3086282D7ED472A779B225
                SHA-256:647C174AFEC944F155FD2DB3E3E8331363DF64687B36A03FBFA4C16364B2ADE6
                SHA-512:BC8FC35D93CC6B3D98595BE84A5DA052539E861A9A0A045D703D32F832E6E5C89152F7935A42A90C87EDD0D27049CE4BD132C9909251869E900E977A5AA96C2A
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.5.5.3.9.6.2.1.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.6.c.2.6.f.9.-.3.4.4.0.-.4.8.b.4.-.9.a.f.b.-.2.9.c.0.1.2.1.e.8.f.8.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.3.9.2.9.8.4.-.5.d.0.0.-.4.1.8.e.-.a.b.8.6.-.1.5.8.a.a.8.3.d.7.9.9.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.d.8.-.0.0.0.1.-.0.0.1.4.-.8.4.c.d.-.1.b.c.b.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.7.b.f.c.9.3.d.7.9.1.e.9.a.0.e.a.7.3.4.b.f.9.c.5.6.e.8.3.7.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....B.o.

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_explore.exe_63b09e81eb74d74ed64ff798a792a6b387e13_21dfad5a_49e135d9-074a-4553-bbaa-0a20f494e2fd\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.917920369082621
                Encrypted:false
                SSDEEP:192:pbuPI/p/g056rQjueZr3uzuiFpZ24IO8N:EPI/p/756rQjyzuiFpY4IO8N
                MD5:FD3FDE65436CE407FBAA32D5FB3C23B0
                SHA1:B2B0B05C7D17695A8E2E000B79F501A367A433A0
                SHA-256:D54BADC0EC5C8C748B92166F3DA91E9495403413D75C66DB263617C44F1B06DD
                SHA-512:4D1826ECEA386149ED2B1F5D5939AC91004383D148E299684D17E13BB1DDD902432542583EC7F9071DD1F6328C78D6EE8E2A78904F07DA50A607403EEECBD47A
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.5.8.9.7.0.1.9.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.e.1.3.5.d.9.-.0.7.4.a.-.4.5.5.3.-.b.b.a.a.-.0.a.2.0.f.4.9.4.e.2.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.9.5.c.8.c.c.-.3.6.4.a.-.4.d.9.1.-.8.8.b.5.-.2.5.6.5.e.f.8.1.a.6.e.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.d.8.-.0.0.0.1.-.0.0.1.4.-.8.4.c.d.-.1.b.c.b.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.7.b.f.c.9.3.d.7.9.1.e.9.a.0.e.a.7.3.4.b.f.9.c.5.6.e.8.3.7.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....B.o.

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_explore.exe_63b09e81eb74d74ed64ff798a792a6b387e13_21dfad5a_711d9ba3-8531-4e71-a576-3e2559c71c3c\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9181771530888408
                Encrypted:false
                SSDEEP:192:K2buUI/p/g056rQjueZr3uzuiFpZ24IO8N:KrUI/p/756rQjyzuiFpY4IO8N
                MD5:72D8E3ED8ACADC1EE5390557DB5AD2B2
                SHA1:05695487DDBF721622FC0145CA7F166D1E73843F
                SHA-256:63DE9997D7D5026061113E68DE3968821372792C59D2DE2904A5504EDAAA3CB2
                SHA-512:D0E05EC9057A0E5C4F6A95299A81D56F163A7C677946A1B7110434582540682C17C976F40CA54EF0C73F8299E1CAEAC63E7A686E04BCBD06CC761DD1736F5EAE
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.5.6.6.2.6.6.5.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.1.d.9.b.a.3.-.8.5.3.1.-.4.e.7.1.-.a.5.7.6.-.3.e.2.5.5.9.c.7.1.c.3.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.4.f.8.3.5.d.-.0.b.f.4.-.4.4.1.7.-.b.3.e.e.-.d.6.d.8.1.2.a.6.9.7.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.d.8.-.0.0.0.1.-.0.0.1.4.-.8.4.c.d.-.1.b.c.b.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.7.b.f.c.9.3.d.7.9.1.e.9.a.0.e.a.7.3.4.b.f.9.c.5.6.e.8.3.7.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....B.o.

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_explore.exe_63b09e81eb74d74ed64ff798a792a6b387e13_21dfad5a_845a3808-697b-400b-8eb7-31619b8c9119\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9182417620519555
                Encrypted:false
                SSDEEP:192:cp/bugI/p/g0JsAnbcA/jueZr3uzuiFpZ24IO8N:dgI/p/7JsAnbcA/jyzuiFpY4IO8N
                MD5:2FCB527C3583919A5793375E58FBD8EA
                SHA1:41570BAE7B2648E5108299BAF447CE552635E1C9
                SHA-256:634C1318E5CD8E033D33E5B344F498A5C25732C2A397B2AF6497C4477C63E6B2
                SHA-512:FFCB471E31945765857141F06AC9B40C5F7482575ABFF4313564BAAF68DE1C88E2E5EA15F118FE707D0550FE63526602449A968D71FDA1937A4D985448B12261
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.5.7.9.3.8.4.3.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.5.a.3.8.0.8.-.6.9.7.b.-.4.0.0.b.-.8.e.b.7.-.3.1.6.1.9.b.8.c.9.1.1.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.9.6.3.2.d.5.-.5.9.2.5.-.4.5.1.3.-.9.7.2.9.-.9.8.e.7.6.b.3.2.7.f.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.d.8.-.0.0.0.1.-.0.0.1.4.-.8.4.c.d.-.1.b.c.b.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.7.b.f.c.9.3.d.7.9.1.e.9.a.0.e.a.7.3.4.b.f.9.c.5.6.e.8.3.7.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....B.o.

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_explore.exe_63b09e81eb74d74ed64ff798a792a6b387e13_21dfad5a_98b554c4-b8cc-476e-90be-4d631e40c114\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9181067266165446
                Encrypted:false
                SSDEEP:192:szbujI/p/g056rQjueZr3uzuiFpZ24IO8N:s+jI/p/756rQjyzuiFpY4IO8N
                MD5:5AC386E8E54634F131495DA1D1B12A1C
                SHA1:3A08382587E59887C1EE0B86B486C15F717525EC
                SHA-256:869DF41EE74D52B4E446172ABD0617791E1B2B6455DF5F1B7F2CFFFF78182F70
                SHA-512:E581AB8993EC506E657FE5DCD9B92B9B08938CF9497BC75223BE6E71AF6AB1D0BCBB2F83B0E1AC328F0826FFFCD80CA4DE984F9017DC48F4F0D4A63A18189168
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.6.1.6.5.9.1.3.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.8.b.5.5.4.c.4.-.b.8.c.c.-.4.7.6.e.-.9.0.b.e.-.4.d.6.3.1.e.4.0.c.1.1.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.2.7.1.0.7.5.-.9.9.5.9.-.4.e.0.5.-.b.d.d.3.-.8.7.f.a.7.0.5.d.3.b.c.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.d.8.-.0.0.0.1.-.0.0.1.4.-.8.4.c.d.-.1.b.c.b.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.7.b.f.c.9.3.d.7.9.1.e.9.a.0.e.a.7.3.4.b.f.9.c.5.6.e.8.3.7.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....B.o.

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_explore.exe_63b09e81eb74d74ed64ff798a792a6b387e13_21dfad5a_a916d8a0-42e4-4bb2-9748-805229360f91\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.8904022923273399
                Encrypted:false
                SSDEEP:192:7buLI/p/g056rQjueZr3OzuiFpZ24IO8N:2LI/p/756rQjCzuiFpY4IO8N
                MD5:5903975DF471A3307889EEB86A5AC736
                SHA1:8BFEF6D14F65763AB19611D5C1BAB52ABCD69DD1
                SHA-256:1B3C9B6B460C12F03BE754CA30CE878198869F94A4958A776AE9DDBAEA340F92
                SHA-512:0419D358EE0C417238A2A6C37CF432D6536418DEBDEC218E11A470DA888108A577193C7F81EBDC2D1EED07CBE6AB57CAE07FE8FE561AE2E636D15F170DBF768C
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.5.3.3.2.8.6.6.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.1.6.d.8.a.0.-.4.2.e.4.-.4.b.b.2.-.9.7.4.8.-.8.0.5.2.2.9.3.6.0.f.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.e.3.1.7.7.f.-.a.b.9.4.-.4.b.2.9.-.a.5.d.3.-.4.4.2.d.e.e.d.7.2.c.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.d.8.-.0.0.0.1.-.0.0.1.4.-.8.4.c.d.-.1.b.c.b.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.7.b.f.c.9.3.d.7.9.1.e.9.a.0.e.a.7.3.4.b.f.9.c.5.6.e.8.3.7.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....B.o.

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_explore.exe_63b09e81eb74d74ed64ff798a792a6b387e13_21dfad5a_ccedc346-0e65-4115-8ab0-4a1ebe5f1002\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.8973575592448084
                Encrypted:false
                SSDEEP:192:6nbuhI/p/g056rQjueZr3CzuiFpZ24IO8N:6qhI/p/756rQjOzuiFpY4IO8N
                MD5:99ECEF7CAC132488FA0C62A008DCBB74
                SHA1:27D5689945ADE4B25F92E749E2050295846B697D
                SHA-256:2288E07E86A81FC3BF48A120A1E87052F59AD6DD2FC1F34C2F2B62680FA98904
                SHA-512:FF0121FCFAF9A7E044C5EC2D4BADD7E79F14F8F0C70A8648C38D02B3DAEEE462FB43AFA11BC019F3DE30F42728BDC7FE9C24572317EEC65076BB95E61277DC93
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.5.4.1.2.3.2.3.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.e.d.c.3.4.6.-.0.e.6.5.-.4.1.1.5.-.8.a.b.0.-.4.a.1.e.b.e.5.f.1.0.0.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.5.f.8.3.9.e.-.c.4.b.f.-.4.9.2.7.-.8.3.c.a.-.4.7.5.5.7.e.8.e.5.8.7.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.d.8.-.0.0.0.1.-.0.0.1.4.-.8.4.c.d.-.1.b.c.b.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.7.b.f.c.9.3.d.7.9.1.e.9.a.0.e.a.7.3.4.b.f.9.c.5.6.e.8.3.7.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.1.4.:.3.2.:.0.3.!.0.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....B.o.

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_explore.exe_9316b72f17848c2e62d56ac51fe1771df4b791a_21dfad5a_0b63ba24-067c-45ac-ad62-6d77750be7b7\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:modified
                Size (bytes):65536
                Entropy (8bit):0.8855119432642029
                Encrypted:false
                SSDEEP:192:OJbuiI/Dn0brHDjjzkZrQzuiFpZ24IO8N:riI/D0brHDjj3zuiFpY4IO8N
                MD5:8C42BA718C6A3690152E709E81170A88
                SHA1:2DC8A587C3419F2227454DF97D015424DE351892
                SHA-256:90011A4B1A25A172BE77391054C7EB303BE3698A1527A860CDF608764708FD63
                SHA-512:E353BAC2E6238BE1B83DBD7BBDC111EACD99AD2212938F31F9B4E8C3B74EDB46A1F8D8D733C66A29FC63215FF038CC4C94CE795EE1FF34C2D9CD18BD247948CB
                Malicious:false
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.2.3.9.6.0.2.9.3.8.2.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.2.2.3.9.6.0.5.7.5.0.6.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.6.3.b.a.2.4.-.0.6.7.c.-.4.5.a.c.-.a.d.6.2.-.6.d.7.7.7.5.0.b.e.7.b.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.3.1.6.c.0.5.-.6.6.1.7.-.4.6.8.f.-.8.4.1.e.-.e.b.d.0.0.1.8.8.e.3.2.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.7.0.-.0.0.0.1.-.0.0.1.4.-.d.1.8.2.-.3.8.c.f.9.2.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.7.b.f.c.9.3.d.7.9.1.e.9.a.0.e.a.7.3.4.b.f.9.c.5.6.e.8.3.7.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.1.0.f.e.6.9.4.c.6.c.7.9.6.e.d.9.a.b.5.c.c.7.2.9.5.1.9.f.e.3.c.1.f.a.7.6.2.9.!.y.a.v.a._.e.x.p.l.o.r.e...e.x.e.....T.a.r.g.e.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD67.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:27 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):56556
                Entropy (8bit):2.252585712377842
                Encrypted:false
                SSDEEP:384:8BNLCgfEfrD5bzx30glUjcmop/oe7ZtIVa:8XLCgfEfrp6g2jcDpnFp
                MD5:8D43AE175218B8625CFF71097E3B873D
                SHA1:23C7517252928F4AB0582C2B98A8E618A0B7D9D7
                SHA-256:83149C7275021F3374DD880CDAC062162BB009A5E8A11A22E3A6B095A0889F0E
                SHA-512:16E3EC183E38B7DCC76B8F7B6C8C27D9F881845A6E4260BC9DE403D77035F4072D9781630B5923F26378AFA3A748D62710269B498C532BD8AF61753E6DD158DF
                Malicious:false
                Preview:MDMP..a..... ..........f........................D...........T....2..........T.......8...........T........... '.........................................................................................................eJ..............GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE14.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8324
                Entropy (8bit):3.694813695815723
                Encrypted:false
                SSDEEP:192:R6l7wVeJTjg6rK6YEIqSU9M3M4gmfwzo1pBr89b22sfGxSm:R6lXJfg6rK6YElSU96M4gmfwzoW2VfGF
                MD5:BCC58FDDFF166E0718FE1EFA1ACDDBC7
                SHA1:8B7B4FD536B74314D0D8B652EED46EA39BAB68BF
                SHA-256:DB69D681B239C6AEE079A1B562C6CE56C878EFD4FEB4783657279C9B6A6C946D
                SHA-512:B8D6FB8FBB6FDEEF8A39DDABCD6C997113B4DB72A94EB680B44C71444B6EF5271914EE15A15E7F02860C89AA548FA8AECBE315B4DBB03AB52BFA8A9FB2E85F20
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.8.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE43.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4600
                Entropy (8bit):4.4578623556107155
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjwYm8M4J73qFJ+q8o3Gf3i3d:uIjfHI7zj7VIJ7ClGfy3d
                MD5:E4BB6A59E9D773E019A5BD740658B56C
                SHA1:35BEB30BDA90C64194D620EFB144CF5C5225CE96
                SHA-256:1730B9AAEE656793B951F10C0A0C8678F36A67224FEF2836855A26F5271B2085
                SHA-512:34DCABD1C1166A194700CD975644D89ED74E76D7CA75E9E8ECFCE55CEB9BAF8BD13B4FBABEB082F24016A1569392B0D73DAFD0AFEC63F19F07C0B50A12E677A4
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2C6.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:28 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):84428
                Entropy (8bit):2.319474526445109
                Encrypted:false
                SSDEEP:384:RtkZPVtsToEfa882rIQZLo3HCsOgTnRPo9MB8+o5zQ4cmop/FSYQWpttUWT/B:RtkZ9ts8Efa8h5xoBHLBBoBVcDpxpcy
                MD5:17C3D3A3BE62B3D11351B4C65A211A2E
                SHA1:29996AB6AFA62D8279B4390B0F37F6143628250F
                SHA-256:FC89557BF83FB5EDBC3C123B23D168DBBDFD2DD990F2D7787C6039E93E53D3CD
                SHA-512:376E082B9D82979FD721FD798C099F2F4BB0AFEAD5775EBD39A0B7689A5B7181C0F15862BB6117E176D5A00C7861196B347002D313DFB60636F791A429971941
                Malicious:false
                Preview:MDMP..a..... ..........f............T...............\.......T....<..........T.......8...........T...........p,..\...........x...........d...............................................................................eJ..............GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3FF.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8324
                Entropy (8bit):3.6945116992204903
                Encrypted:false
                SSDEEP:192:R6l7wVeJTO6d6YEIvSU9KMagmfwzo1pBa89bh2sfemLm:R6lXJ66d6YEQSU9KMagmfwzo5hVfe7
                MD5:47CCB953ADC51C69EE3703B1A7713A43
                SHA1:4C46DD8593602FAF1379924429A2B43D6644BCD8
                SHA-256:9863D51A138B5C4B1F83E2EA27912F35C7A92B3306987D9CFE049B6F6DE26E05
                SHA-512:973794BD1C257F3E7E2A636D6CE1020D96BC6B675146D37EDB1480E8CB2EF8FFD593DDD8CA1500D70B169991C55AD58EE691A53D5FA86385AFF323CE6DD524C6
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.8.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB42F.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4600
                Entropy (8bit):4.457482271635071
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjDYm8M4J73qF1+q8o3Gf3i3d:uIjfHI7zj7VLJ7alGfy3d
                MD5:3D1613535F1CA86E4EFDCD8F9BB1409E
                SHA1:D20E86BE5752B852FC439BE757C4271DFB68BAFF
                SHA-256:614DBE95B963D0AEC03F4F94BA36FAB7AA735AAD6D109EF366E921FEE04D8E04
                SHA-512:5E0A0C80DD31868F9EC8E8D4E0A1B89C11748D452B7DBB279C0564B335AA0C4DECA45E276EC235F6FC2235B3B6991C98C9311A40637823A3BC334FCEC46F120B
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5C3.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:29 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):88660
                Entropy (8bit):2.221941395699545
                Encrypted:false
                SSDEEP:384:YQv9pf/5cjEfmv80QzbAo3Hnw8MB8+o5zQ4cmop/Y/YqFyaGT5gJPmb:YQv9FRcjEfmvQXAoSBBoBVcDpgyaQ0g
                MD5:498EC966591990989FA905940515E911
                SHA1:0800CB5DCA2D966DB40FA820F0314DA85329597D
                SHA-256:353A2FCD05E196329C903804A71B30801BADA7D62EB88C58220D543AA40B214C
                SHA-512:33AE3C01F3E26E5BA723D03AFC8B82C0B32CC77BFF2861D3EFFD78586AF566CF343BDB7D452123B3789B471A44BA2CB2A4676855D89B9E1B0E79AB49D5E54F55
                Malicious:false
                Preview:MDMP..a..... ..........f....................................d....?..........T.......8...........T........... ,..4.......................................................................................................eJ......, ......GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB651.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8324
                Entropy (8bit):3.6948365848877085
                Encrypted:false
                SSDEEP:192:R6l7wVeJTr6XB6YEImSU9gMxgmfwzo1pB089bY2sfsIm:R6lXJf6R6YEpSU9gMxgmfwzorYVfi
                MD5:A8C13FB0084815F35B1CDACCB251FC3D
                SHA1:15C249544326FFA4B67841B21F737C5EA2FC7169
                SHA-256:72A4D1749C774BC938BC5F05E8390582AEB2212AB0E96996109A9D3F0D76028F
                SHA-512:5F6FF01767FFDBD7C6010470C1BDD0CD4424B3110EA0207E6DE6F5077628D4E294D5ADE36AFAD9F34DB0F9184A782CFB10BB537E5E31EDCCA8F1A3B58F9BF639
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.8.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6A0.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4600
                Entropy (8bit):4.4546150542495795
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjHPYm8M4J73qFSV+q8o3Gf3i3d:uIjfHI7zj7VPJ7HVlGfy3d
                MD5:1CE98C05D8D59334D6B1993278D570BB
                SHA1:5151734737E5EC58E2C80ECDE451909F917B5497
                SHA-256:C1E338457FD2D9AC044194B02D58417A3810AA02FDA10B7EC0F971FEC77988A8
                SHA-512:41AB542654A93EE58FA408AA6D294A5C50BE3DCC0038458939E1C6AF4EAF90E890B68CFAAFBE09F6A6CBD0F7F738443B7F616787902FA071E75FD5441F79960D
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB815.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:29 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):88804
                Entropy (8bit):2.2561827003270922
                Encrypted:false
                SSDEEP:384:6N9pf/5iEfyw0QzWEo3Hnw49MBw+o5zQ4cmop/dJ01eizgebyRH:6N9FRiEfy86EoLiB1oBVcDpriNbiH
                MD5:D51E363B74C84AE8AA03BAB3747D5A0D
                SHA1:CC04E8F00C14BDC2F22DA1DDD5336A1BCF0E9C9C
                SHA-256:57267A6F495688B3839343DD870248C381551A36661004F91DF6F7A6065E97AB
                SHA-512:AF2C60E2306BE00ACA0EA0E114146CAC692BB1A3BE780AAC15E3AE5382FABE5C183CD67F88A6B6BD91C814B191A9228D6FAB2C9D5D80B6D951B87563DAC78E0E
                Malicious:false
                Preview:MDMP..a..... ..........f....................................d....?..........T.......8...........T............,..L.......................................................................................................eJ......, ......GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8A3.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8324
                Entropy (8bit):3.6967748947550376
                Encrypted:false
                SSDEEP:192:R6l7wVeJTp666YEIWSU9gMxgmfwzo1pBa89bY2sfkDIm:R6lXJd666YE5SU9gMxgmfwzo5YVfI
                MD5:A0931F2D5376796C81EF82852873A8F2
                SHA1:E41EB3325FADF38FA713C38334F5F6873B7456BA
                SHA-256:7DE6B418D2B85A6B9B5B42C4C8212FC2D55A4F444FAA169CB26AF4399937E172
                SHA-512:59B0D3DD6192A57B4BBD4C0DE3EC661177D391E01FFBCBCE119F4C2A328DB514B228CC196D965817AA3040F1E8639F875AE0692853383F81B638E093E0386746
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.8.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8D3.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4600
                Entropy (8bit):4.453789305825648
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYj4oYm8M4J73qFv+q8o3Gf3i3d:uIjfHI7zj7VfFJ78lGfy3d
                MD5:5E406900ED9169535385635E57B94DEA
                SHA1:E2DB49C3F69CF28525CA093C79462BEC039F9DDE
                SHA-256:22FA9012763621CA8154842CA87999575A34DFD610EB4D15D1DE39178BF6066F
                SHA-512:E328A2DF052603E0ABABAA521D1287F43AB0A23E3124869A1DC6A9C2D88FF16B9301ACDF099EF5E6BE651F0C498282CD0EF3A53CABDDD09C6CAB836732BB1BC5
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA67.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:30 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):95522
                Entropy (8bit):2.003182361624047
                Encrypted:false
                SSDEEP:384:xHs2q6dEfPFNqzwznS4iHpC+4cmop/ERYyLdqUq46MqwakKI5EpUBRaNi:xHs2q6dEfPLawdiHAcDp2PdEUqN
                MD5:098F53146FB482C974D1B3D4ECB78F7F
                SHA1:DF572A35A5B5895D4574247C7006EEC9D3668B90
                SHA-256:D3ACBBF3F92EF8B936ED9801A558EAE3E49D8FF2CD2EF6A0525C37A82ACFB8F4
                SHA-512:607805388E0874FC07AB8F87C9D50E114E7D5187F6388C816F8FC708443AC13A42C5BD07320D2A5BE2AD7E76A3E4A19DEBAD0E2091B94CBAB82ED812C94E6FBD
                Malicious:false
                Preview:MDMP..a..... ..........f.........................................D..........T.......8...........T............-...G......................................................................................................eJ....... ......GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB04.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8324
                Entropy (8bit):3.6950744697835036
                Encrypted:false
                SSDEEP:192:R6l7wVeJTU656YEIKSU9gMxgmfwzo1pB089b42sfNom:R6lXJA656YEVSU9gMxgmfwzor4VfH
                MD5:A4F0B2872B16F82996A9CE283E2CF69D
                SHA1:6EA67C1D2B3B6F0AF464B80488CBAC35796A91F5
                SHA-256:02E72850A263BEC2C1DCEDA9599F5AD7CF6579299B821D0CB6651C3B2A4A0344
                SHA-512:55017BE222F5879624237E7268E9F30FABA85C3722CAAFDADB4988FD9A1AC6AA832E615F39D440FE6A8ECE048527ADD6479D8A3E1AD4ABF3D78C2318329BBF49
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.8.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB24.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4600
                Entropy (8bit):4.45606509516686
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjgYm8M4J73qFfYM+q8o3Gf3i3d:uIjfHI7zj7VcJ7/MlGfy3d
                MD5:1609182527EACF27362C150F5207F6F8
                SHA1:1544D2314E6FFCDF8B7F303A15C4D23C6653B6BA
                SHA-256:58E38F56D3664B86A17F95D9C908A0CA571169F690D13780BF9894A4C242C7F7
                SHA-512:6003E7BFD3C6C609F446A22C1CEC916B10249A1ACF9BAA31A044BA67AD7ADC9296796F0FB732522F0BE8EF293B890CAE474E862DD193B4A2E1C3618FD44FE1A7
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF68.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:31 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):95098
                Entropy (8bit):2.0175809792375676
                Encrypted:false
                SSDEEP:384:x3BC2q6NEfTby4lhqWQgzUISRpC+4cmop/Be8qpWh93Bg9aJYo1NDcdfdxQpVBY5:zC2q6NEfTpogATAcDpO4938e
                MD5:C69D15E5CBF4BAD278B091B573BD183E
                SHA1:31874D17E5F3E02CDCA46C4C73C67F873BD5F9BD
                SHA-256:0425A7793DD00553B6E0B0B18A99BE7083924FCE21400155ECF58F4A93F0F616
                SHA-512:501957D94F99896A5AF0ADD062F019BF0332DFA5A720576FDAD58960CBB0C1328F2AB8EC9C6AFBE3CC48372A2614E51DB95436C0A067B42E16FE806E8DEE3C0D
                Malicious:false
                Preview:MDMP..a..... ..........f.........................................D..........T.......8...........T............-...E......................................................................................................eJ....... ......GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC005.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:modified
                Size (bytes):8324
                Entropy (8bit):3.6949219040170322
                Encrypted:false
                SSDEEP:192:R6l7wVeJT16AF6YEIiSU9o8Mvtgmfwzo1pBu89bB2sfHrm:R6lXJh6S6YE9SU9RMFgmfwzoNBVfi
                MD5:457738FF6C4E5569DDBA35B4EE10A693
                SHA1:5E9780BA270341F3E8205B9B0B42E511993CE4B0
                SHA-256:401B34855911456134DEB956E34EE3F1FDCA2ECC8FCFACC464252E1EE0E3A2A8
                SHA-512:36CF44EEB8953D2C2DF4CE9DC5D4F352603E1BC23458A1F60B735DB7DFD3368D56F82BD8FB6A3E2CD5DADDF6C7D7A4504947E2D1636D235DF5FFED11C4D3A905
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.8.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC035.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4600
                Entropy (8bit):4.4539504209748335
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjWYm8M4J73qFc+q8o3Gf3i3d:uIjfHI7zj7VmJ7LlGfy3d
                MD5:E42436EA864E505466ECDCF0DA934FE3
                SHA1:76277971FF689C6BC175971BA288F49B577EC68A
                SHA-256:C056D7341C5F2EB1E4D3F90F89B80ACB4C0224376DEF11D13E8E106DA8F8FE4D
                SHA-512:A8800A87FAF30F0CE8430033AE29B50619AEBAF2210F0372F8DEA9547E67C8D1978A29D106E699E90875FFECFA6FF7BD5A1D10984EF8A6CD54A1C793D2FB6DF0
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1AA.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:32 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):94674
                Entropy (8bit):2.0247230080039245
                Encrypted:false
                SSDEEP:384:uG2q6XGHEf2tty5lqdgzHSJpC+4cmop/UjC8hKzunPdsdFt19lNFtKEt1NlNFtFu:uG2q62HEf26nog+AcDpcjszup
                MD5:386CE51A9148E80535766FE35772FAE7
                SHA1:F45A5652F86C00BEC485D57D5F42F287503D09C8
                SHA-256:4BBA79C10F9AF033C89FFA2FC174911CDAF76CD16E9C89B7C95DDECF7E0C667A
                SHA-512:4EF797CCCB29BD9815BB7200EE3B20F614C1CD03BCE4C748D18D6C6695A0B8A738DDA8D2AFE6A2D942D2F4B3CFA4A8E05B5D28FA5134C88448AD941A5C82BF9D
                Malicious:false
                Preview:MDMP..a..... ..........f.........................................D..........T.......8...........T............-..JD......................................................................................................eJ....... ......GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC247.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8324
                Entropy (8bit):3.6943608854467143
                Encrypted:false
                SSDEEP:192:R6l7wVeJTT60p6YEIiSU9o8Mvtgmfwzo1pBa89bq2sf9Om:R6lXJH6C6YE9SU9RMFgmfwzo5qVfN
                MD5:10E1803BD6E0AB4324E2802461AE699E
                SHA1:3B12AEE06D2B2DF87792D4146C64918FC0E4608B
                SHA-256:13AA20667B57118615D9CDA9936DD5715CC5D4AFA3A3D957651B58BA2D382BA1
                SHA-512:85EF847B8A0A8C4999D983126027757F34F46F6CBC212B70AEB5738D3E74DBE534D746673E8CCF493EBFFD431C95584CC92C713F4A8A593F9AC89B9C003CF98D
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.8.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC268.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4600
                Entropy (8bit):4.455340300676665
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjGYm8M4J73qFL+q8o3Gf3i3d:uIjfHI7zj7VyJ7slGfy3d
                MD5:913F645D671154828891D7B781778AAB
                SHA1:C91CFC5731E1A67E6780BBCFF43B968DCFB858AE
                SHA-256:29C34B58600ECEFE0EBDE4D2F9459A0D54B89C720C2B823C09097B31B413789C
                SHA-512:641E0FAC93DA61097CC42129D98FF7ECD274E4C5CD82A41CC834BF4AD7D77F450179FA54BA7C120D0D07E7A8D20A5F0F8683942151207890E33F5072E01D6BED
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC43A.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:33 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):39288
                Entropy (8bit):2.5647630531416845
                Encrypted:false
                SSDEEP:192:nIqXiyXZtU3zX884iEmOzwFfoeXDxilLQWpDU+uw21o0FMiUe4vgbmgACCObFA:btUo8oxEfflilLQWpDu1YX4Bd
                MD5:84F7189FFBA3D6F4983BF7491A283A89
                SHA1:56096C5A721671DB6A0CFD6EA3CA32054B5D1792
                SHA-256:E764B88F7A68E4AC4E237212B5EEDA31EE788424B5C3CA22F7B97D771BB240C3
                SHA-512:9FCDEE8213A4AC39C32AC73BC8D450CB4C6DC812142D668616FD6B5ACF2D354EC3621967F656E3EFC8DF7DDD3144BA03990A1780A11FC0E37161157F39CDCAE4
                Malicious:false
                Preview:MDMP..a..... ..........f............4...........T...<.......d..../..........T.......8...........T...........(3..Pf........... ..........|"..............................................................................eJ.......#......GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC507.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8346
                Entropy (8bit):3.6981299784100234
                Encrypted:false
                SSDEEP:192:R6l7wVeJT36IXG6YEIaSU9X5MvAgmfwR44CpD489bz2sfLFRm:R6lXJj6IXG6YEFSU9pMIgmfwR44azVf2
                MD5:435FC6935C82912A48EC28D3EC431494
                SHA1:2231E439D7EB37B980A2EB7C3F1E37FE19127E78
                SHA-256:DB364F272A3A816C0DF2AD8397167F0DE12B15C926BA7F94887692CAD09EBCCE
                SHA-512:29EE46EA504253F8C856CE1F2FE52437B2A22E66D31063EA77C8BA6FECBA747181843BB4BC28613DAFD129BC68BEB1CA236FF607C3526CF02CCB3467D0E8E7DF
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.8.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC565.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4610
                Entropy (8bit):4.478720402021752
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjYYm8M4J73/FU+q82KGf3i3d:uIjfHI7zj7V8J7GMGfy3d
                MD5:7DC35C5CA8156B2AFE96C4CAB2777EBE
                SHA1:BD8BBD2456ECC5115DFD9083C97B112F3787B9C1
                SHA-256:C1210BB3DA2AC07C673B66F2B6714A1A45D5C9237F6F9E27D5E939661B536F85
                SHA-512:ECC7C3C9DB33BBCFD7151618460A31FCB9908E45A37200D2741064567D591ACC6232BD55C050BD62EB994F9BBFA647B30160DB6247A29047D42389EB99E88467
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5E0.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:33 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):53166
                Entropy (8bit):2.167538766597923
                Encrypted:false
                SSDEEP:192:nqqTLX6Xr6CsegOzXw5D159z3ASQ2Rllj2xOtNMLb6DpcITv+wcGvMta2z3cL:qqu6Ch3U5DJzvXljRpce+wzvMgWcL
                MD5:58FBDF225B5D01827CDA15525D403665
                SHA1:70528C16AF4EA0809FE4C89DF13058DBBFD39905
                SHA-256:7584BA3CC3E8B3D2ACACF5458DF28C88BEC411DF1E8E475C63AFF1C6AC21955B
                SHA-512:6F0FC0D9C13CBACB0F537F305700EC5ACD6C742CFCA4D1343012A1F98425A4D278E31BDE0E762A8267E9A9213110B60C0F59BE2949A883BC516548D80ACFC153
                Malicious:false
                Preview:MDMP..a..... ..........f........................P...........................T.......8...........T.......................................................................................................................eJ..............GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC63F.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8302
                Entropy (8bit):3.6940695874102474
                Encrypted:false
                SSDEEP:192:R6l7wVeJd96frr6YTCT6AfegmfiZo1pBt89bzhsf0MRm:R6lXJH6v6Ya6AfegmfiZogzafa
                MD5:E605F6005ED9E5FDC859FC2E9655F60B
                SHA1:8900F33D1A9C153ABDA32914BCE4892CF687730D
                SHA-256:AC8122A60D885EE09E0D8114376666C50C01BFC9976C79B81DF22E293648B4B8
                SHA-512:54D04FD711F21B4F04A81BEAA0E90876803E0B6326E7B091056AC9FFF959867D7E69AAEF03C69985157B2E1A42CBE499680498255F25008F29DE39F70B4C2994
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.8.0.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC66F.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4593
                Entropy (8bit):4.44810506128543
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjd5Ym8M4J5yF7+q8oUU33QUd:uIjfHI7zj7V+oJel3AUd
                MD5:084D9C06F6814F9DBA44AFD0B4175ED1
                SHA1:84ABEAF8E26AA54F117866AE561DF66F92E93B7A
                SHA-256:394BF7B51A84B44FB2F590C9EB440A587FADA7DE96897FA1BFBDAD0136A11F49
                SHA-512:176F67BCF8BBA9EA96C602CA59AF9132ADEBFC6D4A80081C70AEB6B8EDABC8AEE6F75327E1529C6A0CEFB0364E75E923D8FF1148DC62D338E131E73B506C45FC
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC90D.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:34 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):59154
                Entropy (8bit):2.170302166966198
                Encrypted:false
                SSDEEP:192:80eE2yeX2XSM5sgOzXw5QFck3ASQlR1lduy+bgmNNSLb6DpcITssM1bOm3xlkqX/:uE2JM5s3U5QakEHldujZpcFsM1amcI/
                MD5:9C05B82966AA890C94FDEA5CC80D8DFE
                SHA1:EDE1276471ADAA8191F333E46D5EA95B8F35753E
                SHA-256:9A7B317B454FE7B066E43810FCA0B06E02B393E9853AC16A71B4B91D48749D7D
                SHA-512:1D7F3760110847403958B5B376A7756D62E667D2B231A1535354866DA6FE84EF1B66D4FC04A83B68BA9EDA3358CFCB3D5B5FB9173C35D56D45D79DC84E9AF2E3
                Malicious:false
                Preview:MDMP..a..... ..........f.........................................1..........T.......8...........T.......................................................................................................................eJ......<.......GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9D9.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8304
                Entropy (8bit):3.6914983580116796
                Encrypted:false
                SSDEEP:192:R6l7wVeJdL6oW6YTW6AfegmfiZo1pB089bchsfQ0m:R6lXJx6B6YC6AfegmfiZorcafi
                MD5:49963FD91F1911649BB9CE5C6F3E1123
                SHA1:4B8EA6ACD6906DCE282AE9A8311EDC2CC5AD3592
                SHA-256:BCEE3A0AE5FA544B851F504BB8C638D1A44CBFFCBA0114131B05C9FBA054A023
                SHA-512:20DD5EC5C5E8EB156DAD0A06F6E21998E2C2FF05A0228E7A562B3CB6F229A19188852906488FC4DA04029B118CC08CF659E8C01DBEFD3BAFFD3F951D33B60BB5
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.8.0.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9F9.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4593
                Entropy (8bit):4.45056198943864
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjWYm8M4J5yF8+q8oUU33QUd:uIjfHI7zj7VGJdl3AUd
                MD5:4E7997860AE238761EC64B313915AFC8
                SHA1:66C7D647B44ED8CC87AF13408C0A43C1D3311FFC
                SHA-256:6C5BB0C3989197314C80CBE005744E57784EC415DFDA2A09E0FCAC1D22181C34
                SHA-512:C70FACEA73062F5A004F3EC44DA183C357CDBC3222D5E38782CE854C47C0E4B2FDB7A28F9578C993A28FD1C228D6C72FD27AE226F60DA05FDFDB644F69288514
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDFE.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:35 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):56984
                Entropy (8bit):2.1214796468993633
                Encrypted:false
                SSDEEP:192:ZsmXkXtdAPxTZagOzXw5Z8yr73AwQlRGfaiXhwalAeOSLb6DpcITcsDMBPPPMc:sdAP903U5L/SAfayhwalgpc5sO3Mc
                MD5:8B7F4D8BC5212E5BFAB39EA4AB4D3CFE
                SHA1:2B177DA575ED7D88AFEC04D6007032A8E3971D25
                SHA-256:7D0E0FC70FA550ADFFDDE6AC627EBC1554341AF345A6B77D46E7DFAEC7D6EF7B
                SHA-512:146A9AD20D84EB5ECD2F626D18B34466D9DB72D024303D06DC45B703435C659091DDF8D20E506B3BAD37F4D1091CD94E0624A0C03E26232F8BEFCE437B0FC69A
                Malicious:false
                Preview:MDMP..a..... ..........f........................................L3..........T.......8...........T...........X...@.......................................................................................................eJ..............GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE6D.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):6296
                Entropy (8bit):3.718395363659016
                Encrypted:false
                SSDEEP:192:R6l7wVeJdx6tYiZoaAjAapB089blhsfcv3m:R6lXJ76tYiZoaAjAslafcu
                MD5:568E2C7F135FF50B5E6C8A6F369802C3
                SHA1:F2A03CBCD4028F0E1E9D98A79EA1644FFA686CB1
                SHA-256:A79C90B805389EBACDB4A4341B65CF29799ABD933951065F808169C9CDCA9358
                SHA-512:75669016348F1AEEA1519F89C5B7D40E486A9008D1E7B88ECAF03269952B98D113E5CC26C4205EC8A56CC0A572CD98B6C619A27EF27DE1413FDAF681182797C1
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.8.0.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE9D.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4593
                Entropy (8bit):4.448633372327134
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjEYm8M4J5yF0+q8oUU33QUd:uIjfHI7zj7VsJVl3AUd
                MD5:8A73B9AFCFF646A8791149CC5EA9BA8A
                SHA1:C4438F9E0CB60897303B8E87463380F78F4711AD
                SHA-256:F4E6EA35FFC24E85CED4F851D00C49ED30229390556BA5405EE851A5B68B13EC
                SHA-512:0F304924548CEE33690DEA83C2E5A1499760264C7500895ADEB96D1F45FF714103D1B6E6C1B0EEF414D921E6DB8226FF4B6BBD4469FC71F6FD3D7B22740578FE
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD3DA.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:37 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):58420
                Entropy (8bit):2.1312924824122486
                Encrypted:false
                SSDEEP:192:LvmXkXtdAP+FjgOzXw5Ellack3AlVQiRrl3OPC+JmOMLb6DpcITpSVf0lC4qh:PdAP+V3U5UkkfBl3OJDpcJVIa
                MD5:0F5FF0D1B8C60F88E1DD7AF8E9C8156C
                SHA1:A940E731EACD5F5AD99B141D32E63965CFDA103C
                SHA-256:F461B3F2A42B8B21145753EA51BBA4E66BE1B51726A93AD753EB3EA9AA595EEA
                SHA-512:B501818A16EFF686CBA21C9F24B4A0B9E2BEF630BB738767F34912FC0D7B553456A7AFC2626A8AB205E6E119A55A26F30ABF77C47CA2894E7430A0C088DF9C9C
                Malicious:false
                Preview:MDMP..a..... ..........f........................................L3..........T.......8...........T...............<.......................................................................................................eJ..............GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD487.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):6296
                Entropy (8bit):3.7199577613898525
                Encrypted:false
                SSDEEP:96:RSIU6o7wVetbTJP61YVQ60oFXT3t5aMOUM89bXhsfJaKdm:R6l7wVeJdP61YiZo1pBM89bXhsf/dm
                MD5:E0F3CDAC114914DD240D90E01E2618AC
                SHA1:C448D6A65BA9C36A9D88D7EAC4F99E49D4ED8977
                SHA-256:AB9289502A205E768DF8A3A919F06F618A76796332E14912A7C58804B481F857
                SHA-512:FEDD2F43CB1028E0C2E750B9A107FDFFD24C9E8D14497F3D09DF33513FF24559833AD51E3F21381FF589997618704B94D5C253A6158778A40C0ABBB6B3B71D1B
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.8.0.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A8.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4593
                Entropy (8bit):4.4473029435609766
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjHYm8M4J5yFko5+q8oUU33QUd:uIjfHI7zj7VLJVGl3AUd
                MD5:323DBEF61BA669618D96D3E456C5BF8C
                SHA1:DAA1E184C18CD7BB8C84D97F159D6D4261162A71
                SHA-256:6F3FB74DEB31F35EB1D104E6E159CE5381D4B79CDB721B5400737E0239D3A809
                SHA-512:0CBEB72DE26746B825FAF75BD52ECA8D271A72986726A45A7EADAA9D38D9A83BC93B508D69205A51EFCF9EB6EFB515F4C077601C147E82C597DC80402C1459AE
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7E2.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:38 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):57062
                Entropy (8bit):2.121345456350793
                Encrypted:false
                SSDEEP:192:gjemXkXtdAPB8DgOzXw5wES73AwQlRGfsOXGO4hWOMLb6DpcITRhSi0UgcHw:08dAPm3U5wEcSAfsOGO49pccg4w
                MD5:57F95FEC1BB8960B7B50FF8FB257F1CB
                SHA1:27E05CACEAA08FA644F6BFB344F091386CABCE23
                SHA-256:19CFB8E15285C70616EB9AA7F074AF8C441155E49656E7DB5B88BF4C139A6018
                SHA-512:A70FFB43DB3B5CA5A8A494A42AE69A9471ADA42B989C8CB1B07DB4BBAD79C792D13EDD191ABD3F25EB5ACC92261E108B5174B277332904262B9EDD615764D800
                Malicious:false
                Preview:MDMP..a..... ..........f........................................L3..........T.......8...........T...............f.......................................................................................................eJ..............GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD850.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):6296
                Entropy (8bit):3.719704687785499
                Encrypted:false
                SSDEEP:192:R6l7wVeJd+6HYiZoaAjAapBRC89bAhsfUGAm:R6lXJU6HYiZoaAjAq7AafL
                MD5:C7C216E0FFA0AD8C0C55763DA76E60C5
                SHA1:8CFF57E2BB547F8DF98AAB0340A4C6FC0E72CEC5
                SHA-256:E7A2FACC6C9460B4D902EDE262D4BDB2420305D1DC268422B4D11575E6855DBC
                SHA-512:8A51A6397E6B8A59279C5AC2E066C7B9A57FD60C68E25D151E0EA66446CF7B51CF04FD14228F718445D105062732D5E91D1FCD7876B38FA11E52993E21F981B0
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.8.0.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD870.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4593
                Entropy (8bit):4.450273849385192
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjDYm8M4J5yFD+q8oUU33QUd:uIjfHI7zj7VrJGl3AUd
                MD5:6AC4C5FCF67AC27D14F58D10D8F90193
                SHA1:7B3B7C9F8BC291EB4FD7F0D92294538F331F9DF5
                SHA-256:B666006C8F6C6CA948B8256ABA6B6A467A97106143A44BE244CC11C0807FC416
                SHA-512:B24DE547B1041F58C62C2645DA8B8BCE9340FCF2E0CCF80BC3A7B052A392C01485BE948C7C38BE25DE02ACF0F4BF93B97073335D6D6517F54D7C44C2AD8F5EEE
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBF9.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:39 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):58518
                Entropy (8bit):2.132310894813967
                Encrypted:false
                SSDEEP:192:9WmXkXtdAPy1/gOzXw5EllKck3AlVQiRrlLOfS+XmOMLb6DpcITsyZXv4ck:GdAPy1/3U5EkkfBlLO3Dpc9yih
                MD5:9DB61CC68588C0481F2CB7685FE9DACD
                SHA1:33B8857573A14CC513AEED4E3ECD993F62CDAE65
                SHA-256:6FE6015CB5F7F0E04E3EA4DAAC1A9CA0877BC546890A9C46F82776D68384F736
                SHA-512:13AA040179998632A808446C16CD08AAD7C52698A535B1E2BCE155A005DD0F5A46EC24D7C39A56571711FCD4B7B6D264B27802ED4C6177D0A2FEB436234A9F53
                Malicious:false
                Preview:MDMP..a..... ..........f........................................L3..........T.......8...........T........... ...v.......................................................................................................eJ..............GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE3C.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):6296
                Entropy (8bit):3.717957249230621
                Encrypted:false
                SSDEEP:96:RSIU6o7wVetbTJ76sYVQ60oFXT3t5aMOUw89b/RhsfVv9Bm:R6l7wVeJd76sYiZo1pBw89b/Rhsf99Bm
                MD5:C98ED536813864BD956D19A7ACEBF186
                SHA1:F421885A74FA9FCA8F0DE70D99B9A9DC80C6A439
                SHA-256:34288B8B69AB9DF833FF9A86986DE4A73835B4C9C492806635DE1A287C56684D
                SHA-512:D312F4B8764F8160C47E7AB6A8D0CED81D7E041A87E3098382EAC7FE3453987D7FE0A4569B747FDB633BF7C604F78EE437835A69B5EBBA1FFA110CF343A5BA0E
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.8.0.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE8B.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4593
                Entropy (8bit):4.449099298460015
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjBYm8M4J5yFK+q8oUU33QUd:uIjfHI7zj7VlJrl3AUd
                MD5:210C4CBAF6051C4AA6F450718028E255
                SHA1:3A2A956316D2BD27745438B189B9051482FAB672
                SHA-256:986C37882E51590AABF5CDBF5E15BB124CDF84A76A00101BCA13EE6260323BD1
                SHA-512:1656843178F329CF62EBFC65CA13DDB32C79EAEA333977C5DE226D61B37BF901460FF21E10CC7DC46F44DE51036EAF5640CCAB3C078B0166F13D8577E63B6510
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE129.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:40 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):25230
                Entropy (8bit):2.4769450147722947
                Encrypted:false
                SSDEEP:96:5n8LH03vq4neYdXSV25V1CS7X4fQ2JA8+BStJui74QnXa2cWw7Bp/fBcPATK039t:6LVYdX/B7X4op8gO3XwnVHJ3NGIdOkF
                MD5:64F13E48663F4A7A7325F798BA7B71A9
                SHA1:396471C4217D63F88ABC14411DDF4B1F598912B2
                SHA-256:A12F437EEE2C27DA192247AF615EFC508891F6D2E16108F9B8FF14688401B272
                SHA-512:D9A063CEE98A7968B481C931BD6DA02762C3EA253BE0B8057CF045B037A492A772E2EA1D05170A53DEE9976A0CD33FF948108416AC38E9C58FEDA87B65C85F5E
                Malicious:false
                Preview:MDMP..a..... ..........f............4...........x...<...........&$..........T.......8...........T................K......................................................................................................eJ......8.......GenuineIntel............T.......p......f............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE187.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8336
                Entropy (8bit):3.7010734899489606
                Encrypted:false
                SSDEEP:192:R6l7wVeJK66GA76YEIRSU9k6ZFgmfiR44jTpDA89bPesfilm:R6lXJf6GA76YE+SU9k6FgmfiR44jrPdh
                MD5:D6FA4334AA7C0B0EB0FFDCAC9E679622
                SHA1:89CD3EFB4BEA4236366AE97AE8205FB63F9478D0
                SHA-256:9CF7CBDE3D24338FBEB37494C266DC3269B50A3296AA920A739AEE0E0F1F1563
                SHA-512:5C5F062E8F737CF27AA077DED064F017804E121CDBC23A21175E86A2A8C30E6661A9D55CFE725DBD3019458AC2664C0B36FA03FFC114A2AEEA35159A4B186D43
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.4.4.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1D7.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4605
                Entropy (8bit):4.4740760489644815
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjJYm8M4J5/Fm0+q8GJi33Q4d:uIjfHI7zj7VtJm0Y3A4d
                MD5:D49D485C024E9F549BEB2BDBAFEE5A01
                SHA1:58CD657AEC9DA07E5BC022079162C1450B30DB49
                SHA-256:D38CCFE1F3A8A03C31F0079E3DB5322337C8CA87743901256A2DD4CC162FC722
                SHA-512:D44A59BCE9CA9852C4B3F31E6ABCF182323A6AAA4F59725F879B76D3A541EA9823A45F75142C33BFC3364446FE5EC7B6D0D3DCA31455B5BAEAF86E35D657F3B7
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE252.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:40 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):57160
                Entropy (8bit):2.1222701173873264
                Encrypted:false
                SSDEEP:192:67AmXkXtdAPogugOzXw5wqi73AwQlRGfVuXJktwoOMLb6DpcITBVLL/5xFZHl:aedAPo/3U5wqMSAfVuJkt8pcYVH/5Vl
                MD5:D34F35BF81CE0877F682E8221894A969
                SHA1:DF082E36E5006EF8E21AD09C58435807C724DC0C
                SHA-256:AED07DF901F6BDB4DED5B58A5791755FAC0A15C69D752D0649DE0C8A570E921D
                SHA-512:FD5DD49D249D7C9A713645B3A7CAE9857DA7C449E73B0CD54F1FB6CCACC846C6031C85070EC50AF92C8AD52973C77BD0CBA2DE62855C6C87D329B5C8C08A3B63
                Malicious:false
                Preview:MDMP..a..... ..........f........................................L3..........T.......8...........T.......................................................................................................................eJ..............GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2DF.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):6296
                Entropy (8bit):3.7171616899361357
                Encrypted:false
                SSDEEP:192:R6l7wVeJdk6TYiZoaAjAapBT89bPhsf7ulm:R6lXJu6TYiZoaAjA5PafR
                MD5:F5ADDEC23F52BC4D4D54720ED8F8C181
                SHA1:1D5321489B17BEE0DB1674F09AC98F8D5FFC81E1
                SHA-256:5606F851A960398C6815ABC9E2D248E21A6558E60662438F4176A5C6CCD894AC
                SHA-512:DC9192C0C8CC5E3D7D4943C98A5CF97E26C840FAD24ED117FCD95EE340C3E8EB82212B27BDA9C1A0EEB76B16DC83A27C3862E1E158F874F82C8389E67E5E8E21
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.8.0.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2FF.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4593
                Entropy (8bit):4.4480989576758265
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjOPYm8M4J5yF3+q8oUU33QUd:uIjfHI7zj7VHSJel3AUd
                MD5:9858836F27B7132C58687AF0E2D46B1C
                SHA1:5E6C0969863E0CBE246518BF0C5E8D01474C4B27
                SHA-256:3E77C396C437D222C63CB3B6726D26E8A54B4F32212F7D579A0469CAF24799BF
                SHA-512:4264FEF2F48F68329096B5ED1DA531CD8743B814361513CF4C643362823A65E8EE261312385087D06D83B479B456500983266999C4CFD3583FD5E8640EFCB2F0
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE668.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 12:52:42 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):58616
                Entropy (8bit):2.134871709546429
                Encrypted:false
                SSDEEP:192:0RmXkXtdAP4gOzXw5Ell5ck3AlVQiRrl5q01+tmOMLb6DpcITly2L54W:cdAP43U5FkkfBl5qzDpcQyJW
                MD5:712A1712424536C2C3438C58DA664448
                SHA1:21DF8305FB13240933787A57E4197C1F8B3685B2
                SHA-256:DE7D0B74F6F6E139C4E6D016E75BCBFA5F186614EDC8C702BB60AE55E5D4016E
                SHA-512:CDE93E89892F25E044D98489E9B408CABB63F51F426E24E986AC739BE0A8FA77DE53686237E92D61C026930B79AFD011A32A27DB6A86A5CCF552DE953EA77E4E
                Malicious:false
                Preview:MDMP..a..... ..........f........................................L3..........T.......8...........T...........H...........................................................................................................eJ..............GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE919.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):6296
                Entropy (8bit):3.7186085391367976
                Encrypted:false
                SSDEEP:96:RSIU6o7wVetbTJS62YVQ60oFXT3t5aMOUH89bdhsfMC/m:R6l7wVeJdS62YiZo1pBH89bdhsfMC/m
                MD5:493C5EB4D3429A536FCE7C1E117742CB
                SHA1:6EE94A44DD81ABB8ED9263654124899B6715692A
                SHA-256:774C5E2A0FD1F41B2E1271853719F29DAEF60A43E7A7F21F20B51666432ED99E
                SHA-512:18BADF1AEFFFB994F34DC7C8F17BA11D63C635907AE87D0F0CEC8D4C73E1FD2A0F54AEE775F3A6ED51037CF39DA72433B462AA0C8DC1020EB7DD83EA7BCD9AC4
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.8.0.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE949.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4593
                Entropy (8bit):4.4480631381008955
                Encrypted:false
                SSDEEP:48:cvIwWl8zstJg77aI9diWpW8VYjSrYm8M4J5yFek+q8oUU33QUd:uIjfHI7zj7VQJkl3AUd
                MD5:A27679A499CD4406D0DAF4B104F2B750
                SHA1:F74CC4250949A95B0F5B32D261CCFB1113156CAA
                SHA-256:BE03A174E10FF2186BA566C72B4D734D92DD2324ED16D777E3C3E02925DC8049
                SHA-512:0B19D8CFCFA9DE839A9D0905A4437A043BF6D5E18A2B0940DC60D18444A831BA8716E8D7E2601A1B4B0C7D0C0BF338C6AA11A767C71C58AD149CC3F7204976F8
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507115" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\Users\user\AppData\Roaming\yava_explore.exe

                Download File
                Process:C:\Users\user\Desktop\documents-pdf.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):456704
                Entropy (8bit):7.492074991574124
                Encrypted:false
                SSDEEP:6144:12LmXK3chajunEb8/kMb3nB74AogKjLMQx4kxY09AYx+wZzMgI11A1WMCc:126pFnEYRb3nBkAgCkxbAYXb
                MD5:12D7E4DBCB67711B60C8F626D81C7438
                SHA1:4610FE694C6C796ED9AB5CC729519FE3C1FA7629
                SHA-256:3F0143CB0FDD7F85C55841A713BF4934DF3C7F17D1133103B323A5332535852B
                SHA-512:DED570F6814AEB37D2AF53362063AECC11D5A3DFC27FB5B26D082768768D810004B908C3AD27DB6D05A347D8497EA950DC8A5FB216A544C353B5566F287F0F58
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 76%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.~.u.~.u.~...t.~.k...n.~.k..e.~.k...).~.R+..p.~.u.....~.k...t.~.k..t.~.k..t.~.Richu.~.........................PE..L...~..e............................p.............@.............................................................................<...........................................................h....... ...@............................................text............................... ..`.rdata.. ".......$..................@..@.data...............................@....tls................................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\yava_explore.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\documents-pdf.exe
                File Type:ASCII text, with CRLF line terminators
                Category:modified
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:true
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Windows\appcompat\Programs\Amcache.hve

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:MS Windows registry file, NT/2000 or above
                Category:dropped
                Size (bytes):1835008
                Entropy (8bit):4.424187915738338
                Encrypted:false
                SSDEEP:6144:XSvfpi6ceLP/9skLmb0OT+WSPHaJG8nAgeMZMMhA2fX4WABlEnNM0uhiTw:CvloT+W+EZMM6DFyW03w
                MD5:45583CA90233723A8B9572E40C81BFC1
                SHA1:08E5D1282F08EF3BB553A4F8FAE0E2FA91236697
                SHA-256:4671D2E62F2458D984EFD21B6F9E035A79D74C024D5ADFBB9DBC97F6AB90B240
                SHA-512:F29CB4DC85722D210614161C896C3BCF64B570932FB8E57FF63A84165698F2B5EC4BDE6A101DB8BFBC79AB060D07408A6A473A95F2BFB6A7D03A55B4CE52C947
                Malicious:false
                Preview:regfJ...J....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.<.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.492074991574124
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:documents-pdf.exe
                File size:456'704 bytes
                MD5:12d7e4dbcb67711b60c8f626d81c7438
                SHA1:4610fe694c6c796ed9ab5cc729519fe3c1fa7629
                SHA256:3f0143cb0fdd7f85c55841a713bf4934df3c7f17d1133103b323a5332535852b
                SHA512:ded570f6814aeb37d2af53362063aecc11d5a3dfc27fb5b26d082768768d810004b908c3ad27db6d05a347d8497ea950dc8a5fb216a544c353b5566f287f0f58
                SSDEEP:6144:12LmXK3chajunEb8/kMb3nB74AogKjLMQx4kxY09AYx+wZzMgI11A1WMCc:126pFnEYRb3nBkAgCkxbAYXb
                TLSH:0EA4D0D0A6E04169F7F74AB0D932DE650A3FBCEB6931548E2144261A2DF22C24937F5F
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.~.u.~.u.~.....t.~.k...n.~.k...e.~.k...).~.R+..p.~.u.....~.k...t.~.k...t.~.k...t.~.Richu.~.........................PE..L..

                File Icon

                Icon Hash:0d59230d490dd149

                Static PE Info

                General

                Entrypoint:0x401c70
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:TERMINAL_SERVER_AWARE
                Time Stamp:0x6585197E [Fri Dec 22 05:07:10 2023 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:0
                File Version Major:5
                File Version Minor:0
                Subsystem Version Major:5
                Subsystem Version Minor:0
                Import Hash:e65a8357ca24d261f7849f444ec396fa

                Entrypoint Preview

                Instruction
                call 00007FA6B9797B0Bh
                jmp 00007FA6B97940DEh
                mov edi, edi
                push ebp
                mov ebp, esp
                sub esp, 00000328h
                mov dword ptr [00452810h], eax
                mov dword ptr [0045280Ch], ecx
                mov dword ptr [00452808h], edx
                mov dword ptr [00452804h], ebx
                mov dword ptr [00452800h], esi
                mov dword ptr [004527FCh], edi
                mov word ptr [00452828h], ss
                mov word ptr [0045281Ch], cs
                mov word ptr [004527F8h], ds
                mov word ptr [004527F4h], es
                mov word ptr [004527F0h], fs
                mov word ptr [004527ECh], gs
                pushfd
                pop dword ptr [00452820h]
                mov eax, dword ptr [ebp+00h]
                mov dword ptr [00452814h], eax
                mov eax, dword ptr [ebp+04h]
                mov dword ptr [00452818h], eax
                lea eax, dword ptr [ebp+08h]
                mov dword ptr [00452824h], eax
                mov eax, dword ptr [ebp-00000320h]
                mov dword ptr [00452760h], 00010001h
                mov eax, dword ptr [00452818h]
                mov dword ptr [00452714h], eax
                mov dword ptr [00452708h], C0000409h
                mov dword ptr [0045270Ch], 00000001h
                mov eax, dword ptr [00451008h]
                mov dword ptr [ebp-00000328h], eax
                mov eax, dword ptr [0045100Ch]
                mov dword ptr [ebp-00000324h], eax
                call dword ptr [000000F4h]

                Rich Headers

                Programming Language:
                • [C++] VS2008 build 21022
                • [ASM] VS2008 build 21022
                • [ C ] VS2008 build 21022
                • [IMP] VS2005 build 50727
                • [RES] VS2008 build 21022
                • [LNK] VS2008 build 21022

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x4f81c0x3c.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x14b0000x1e7e8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x4f4680x18.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4f4200x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x4e0000x1b8.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x4c9bf0x4ca0035a76d5031b3d759a9e9c8dfe6e8984dFalse0.9445287010603589data7.927410473473771IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x4e0000x22200x24007a8998297e066fdb0a857708575873ffFalse0.3517795138888889data5.399651524631684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x510000xf8f9c0x18006f1a21b8c1714b37a4ad6b80b9a12ec9False0.146484375data1.6051456374636914IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .tls0x14a0000x51d0x600d00a0884dfc2593613905d91d2ea3f37False0.015625data0.007830200398677895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0x14b0000x1e7e80x1e800ea425ef548de7a4f4752de9cf71d7b2cFalse0.5855532786885246data6.036670613620316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                AFX_DIALOG_LAYOUT0x1646200x2data5.0
                HAZATOWAHAYAWOYEWA0x1642200x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6257367387033399
                TALIHIPUJUBUDUDECOKOSOZIVIP0x1636280xbf7ASCII text, with very long lines (3063), with no line terminatorsTurkishTurkey0.6007182500816193
                RT_ICON0x14bb000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5812899786780383
                RT_ICON0x14c9a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6529783393501805
                RT_ICON0x14d2500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.711405529953917
                RT_ICON0x14d9180x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7608381502890174
                RT_ICON0x14de800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5363070539419087
                RT_ICON0x1504280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6454033771106942
                RT_ICON0x1514d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.660655737704918
                RT_ICON0x151e580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.7907801418439716
                RT_ICON0x1523380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.7020255863539445
                RT_ICON0x1531e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6796028880866426
                RT_ICON0x153a880x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6284562211981567
                RT_ICON0x1541500x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.744942196531792
                RT_ICON0x1546b80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.6370331950207468
                RT_ICON0x156c600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6592401500938087
                RT_ICON0x157d080x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6741803278688525
                RT_ICON0x1586900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.6790780141843972
                RT_ICON0x158b700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.40085287846481876
                RT_ICON0x159a180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5640794223826715
                RT_ICON0x15a2c00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6273041474654378
                RT_ICON0x15a9880x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6372832369942196
                RT_ICON0x15aef00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.46106941838649157
                RT_ICON0x15bf980x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.44549180327868854
                RT_ICON0x15c9200x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.49379432624113473
                RT_ICON0x15cdf00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.7020255863539445
                RT_ICON0x15dc980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6796028880866426
                RT_ICON0x15e5400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6284562211981567
                RT_ICON0x15ec080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.744942196531792
                RT_ICON0x15f1700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.6370331950207468
                RT_ICON0x1617180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6592401500938087
                RT_ICON0x1627c00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6741803278688525
                RT_ICON0x1631480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.6790780141843972
                RT_STRING0x1647d80x33adata0.4612590799031477
                RT_STRING0x164b180x73adata0.4205405405405405
                RT_STRING0x1652580x658data0.43842364532019706
                RT_STRING0x1658b00x79cdata0.4224845995893224
                RT_STRING0x1660500x6fedata0.42849162011173186
                RT_STRING0x1667500x83adata0.4188034188034188
                RT_STRING0x166f900x5f8data0.43848167539267013
                RT_STRING0x1675880x6dedata0.44084186575654155
                RT_STRING0x167c680x836data0.4196003805899144
                RT_STRING0x1684a00x706data0.42769744160177975
                RT_STRING0x168ba80x7badata0.4251769464105157
                RT_STRING0x1693680x39adata0.4718004338394794
                RT_STRING0x1697080xdcdata0.55
                RT_GROUP_ICON0x158af80x76dataTurkishTurkey0.6694915254237288
                RT_GROUP_ICON0x1635b00x76dataTurkishTurkey0.6694915254237288
                RT_GROUP_ICON0x1522c00x76dataTurkishTurkey0.6610169491525424
                RT_GROUP_ICON0x15cd880x68dataTurkishTurkey0.7211538461538461
                RT_VERSION0x1646280x1acdata0.6004672897196262

                Imports

                DLLImport
                KERNEL32.dllDebugActiveProcess, FillConsoleOutputCharacterA, SearchPathW, SetPriorityClass, GetConsoleAliasesLengthW, CopyFileExW, GetNumaProcessorNode, GetDefaultCommConfigW, InterlockedIncrement, QueryDosDeviceA, GetEnvironmentStringsW, CreateDirectoryW, GetUserDefaultLCID, GetComputerNameW, SetCommBreak, ConnectNamedPipe, CallNamedPipeW, FreeEnvironmentStringsA, GetModuleHandleW, GetTickCount, GetConsoleAliasesA, GetCommandLineA, LoadLibraryW, GetConsoleMode, Sleep, GetConsoleAliasExesLengthW, WriteConsoleOutputA, HeapDestroy, GetFileAttributesW, GetBinaryTypeA, GetModuleFileNameW, GetStartupInfoW, SetConsoleTitleA, InterlockedExchange, GetLastError, GetProcAddress, SetStdHandle, SearchPathA, BuildCommDCBW, OpenWaitableTimerW, LocalAlloc, BeginUpdateResourceA, FoldStringW, WaitForMultipleObjects, GetModuleHandleA, GetShortPathNameW, SetCalendarInfoA, FindAtomW, GlobalReAlloc, GetVolumeInformationW, CreateFileA, SetFilePointer, WriteConsoleW, HeapAlloc, MultiByteToWideChar, HeapReAlloc, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapCreate, WriteFile, GetStdHandle, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LoadLibraryA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, FlushFileBuffers, WriteConsoleA, GetConsoleOutputCP, CloseHandle
                USER32.dllSetFocus, GetUserObjectInformationA

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                TurkishTurkey

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-09-19T14:52:35.576605+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549720198.23.227.21232583TCP
                2024-09-19T14:52:38.134974+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549722198.23.227.21232583TCP
                2024-09-19T14:52:40.698176+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549723198.23.227.21232583TCP
                2024-09-19T14:52:43.260126+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549725198.23.227.21232583TCP
                2024-09-19T14:52:45.880626+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549730198.23.227.21232583TCP
                2024-09-19T14:52:48.466159+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549731198.23.227.21232583TCP
                2024-09-19T14:52:51.061897+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549733198.23.227.21232583TCP
                2024-09-19T14:52:53.710624+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549734198.23.227.21232583TCP
                2024-09-19T14:52:56.432314+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549735198.23.227.21232583TCP
                2024-09-19T14:52:59.016129+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549736198.23.227.21232583TCP
                2024-09-19T14:53:01.607406+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549737198.23.227.21232583TCP
                2024-09-19T14:53:04.312880+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549738198.23.227.21232583TCP
                2024-09-19T14:53:06.951779+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549739198.23.227.21232583TCP
                2024-09-19T14:53:09.548833+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549740198.23.227.21232583TCP
                2024-09-19T14:53:12.136126+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549741198.23.227.21232583TCP
                2024-09-19T14:53:14.713699+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549742198.23.227.21232583TCP
                2024-09-19T14:53:18.355118+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549743198.23.227.21232583TCP
                2024-09-19T14:53:20.917327+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549744198.23.227.21232583TCP
                2024-09-19T14:53:23.513235+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549746198.23.227.21232583TCP
                2024-09-19T14:53:26.151716+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549748198.23.227.21232583TCP
                2024-09-19T14:53:28.751224+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549749198.23.227.21232583TCP
                2024-09-19T14:53:31.934813+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549750198.23.227.21232583TCP
                2024-09-19T14:53:34.550284+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549751198.23.227.21232583TCP
                2024-09-19T14:53:37.159503+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549752198.23.227.21232583TCP
                2024-09-19T14:53:39.762402+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549753198.23.227.21232583TCP
                2024-09-19T14:53:42.358721+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549754198.23.227.21232583TCP
                2024-09-19T14:53:45.058650+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549755198.23.227.21232583TCP
                2024-09-19T14:53:47.659026+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549756198.23.227.21232583TCP
                2024-09-19T14:53:50.976382+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549757198.23.227.21232583TCP
                2024-09-19T14:53:53.528548+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549758198.23.227.21232583TCP
                2024-09-19T14:53:56.112794+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549759198.23.227.21232583TCP
                2024-09-19T14:53:58.687765+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549760198.23.227.21232583TCP
                2024-09-19T14:54:01.308899+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549761198.23.227.21232583TCP
                2024-09-19T14:54:03.900262+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549762198.23.227.21232583TCP
                2024-09-19T14:54:06.520574+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549763198.23.227.21232583TCP
                2024-09-19T14:54:09.028558+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549764198.23.227.21232583TCP
                2024-09-19T14:54:11.600523+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549765198.23.227.21232583TCP
                2024-09-19T14:54:14.137294+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549766198.23.227.21232583TCP
                2024-09-19T14:54:16.547704+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549767198.23.227.21232583TCP
                2024-09-19T14:54:18.921513+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549768198.23.227.21232583TCP
                2024-09-19T14:54:21.281640+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549769198.23.227.21232583TCP
                2024-09-19T14:54:23.627004+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549770198.23.227.21232583TCP
                2024-09-19T14:54:25.942626+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549771198.23.227.21232583TCP
                2024-09-19T14:54:28.244479+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549772198.23.227.21232583TCP
                2024-09-19T14:54:30.534465+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549773198.23.227.21232583TCP
                2024-09-19T14:54:32.766687+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549774198.23.227.21232583TCP
                2024-09-19T14:54:34.983943+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549775198.23.227.21232583TCP
                2024-09-19T14:54:37.153992+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549776198.23.227.21232583TCP
                2024-09-19T14:54:39.345124+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549777198.23.227.21232583TCP
                2024-09-19T14:54:41.692626+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549778198.23.227.21232583TCP
                2024-09-19T14:54:43.826007+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549779198.23.227.21232583TCP
                2024-09-19T14:54:46.032560+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549780198.23.227.21232583TCP
                2024-09-19T14:54:48.090252+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549781198.23.227.21232583TCP
                2024-09-19T14:54:50.180012+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549782198.23.227.21232583TCP
                2024-09-19T14:54:52.217806+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549783198.23.227.21232583TCP
                2024-09-19T14:54:54.642709+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549784198.23.227.21232583TCP
                2024-09-19T14:54:56.677325+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549785198.23.227.21232583TCP
                2024-09-19T14:54:58.685180+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549786198.23.227.21232583TCP
                2024-09-19T14:55:00.688737+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549787198.23.227.21232583TCP
                2024-09-19T14:55:02.965459+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549788198.23.227.21232583TCP
                2024-09-19T14:55:05.015293+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549789198.23.227.21232583TCP
                2024-09-19T14:55:06.981471+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549790198.23.227.21232583TCP
                2024-09-19T14:55:08.922870+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549791198.23.227.21232583TCP
                2024-09-19T14:55:11.208960+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549792198.23.227.21232583TCP
                2024-09-19T14:55:13.271815+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549793198.23.227.21232583TCP
                2024-09-19T14:55:15.266891+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549794198.23.227.21232583TCP
                2024-09-19T14:55:17.185810+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549795198.23.227.21232583TCP
                2024-09-19T14:55:19.204292+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549796198.23.227.21232583TCP
                2024-09-19T14:55:21.534203+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549797198.23.227.21232583TCP
                2024-09-19T14:55:23.610667+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549798198.23.227.21232583TCP
                2024-09-19T14:55:25.500716+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549799198.23.227.21232583TCP
                2024-09-19T14:55:27.392054+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549800198.23.227.21232583TCP
                2024-09-19T14:55:29.359496+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549801198.23.227.21232583TCP
                2024-09-19T14:55:31.312314+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549802198.23.227.21232583TCP
                2024-09-19T14:55:33.140228+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549803198.23.227.21232583TCP
                2024-09-19T14:55:34.986705+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549804198.23.227.21232583TCP
                2024-09-19T14:55:36.880675+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549805198.23.227.21232583TCP
                2024-09-19T14:55:38.812703+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549806198.23.227.21232583TCP
                2024-09-19T14:55:40.763845+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549807198.23.227.21232583TCP
                2024-09-19T14:55:42.832646+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549808198.23.227.21232583TCP
                2024-09-19T14:55:44.707654+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549809198.23.227.21232583TCP
                2024-09-19T14:55:46.547911+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549810198.23.227.21232583TCP
                2024-09-19T14:55:48.670309+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549811198.23.227.21232583TCP
                2024-09-19T14:55:50.560438+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549812198.23.227.21232583TCP
                2024-09-19T14:55:52.500913+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549813198.23.227.21232583TCP
                2024-09-19T14:55:54.453269+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549814198.23.227.21232583TCP
                2024-09-19T14:55:56.361527+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549815198.23.227.21232583TCP
                2024-09-19T14:55:58.308418+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549816198.23.227.21232583TCP
                2024-09-19T14:56:00.143402+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549817198.23.227.21232583TCP
                2024-09-19T14:56:01.983339+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549818198.23.227.21232583TCP
                2024-09-19T14:56:03.884617+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549819198.23.227.21232583TCP
                2024-09-19T14:56:05.724651+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549820198.23.227.21232583TCP
                2024-09-19T14:56:08.068766+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549821198.23.227.21232583TCP
                2024-09-19T14:56:09.967988+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549822198.23.227.21232583TCP
                2024-09-19T14:56:11.849951+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549823198.23.227.21232583TCP
                2024-09-19T14:56:13.701731+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549824198.23.227.21232583TCP
                2024-09-19T14:56:15.568650+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549825198.23.227.21232583TCP
                2024-09-19T14:56:17.405510+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549826198.23.227.21232583TCP
                2024-09-19T14:56:19.265195+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549827198.23.227.21232583TCP
                2024-09-19T14:56:21.143403+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549828198.23.227.21232583TCP
                2024-09-19T14:56:23.019231+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549829198.23.227.21232583TCP
                2024-09-19T14:56:24.688731+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549830198.23.227.21232583TCP
                2024-09-19T14:56:26.547301+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549831198.23.227.21232583TCP
                2024-09-19T14:56:29.389220+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549832198.23.227.21232583TCP
                2024-09-19T14:56:31.369951+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549833198.23.227.21232583TCP
                2024-09-19T14:56:33.235479+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549834198.23.227.21232583TCP
                2024-09-19T14:56:35.047492+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549835198.23.227.21232583TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 19, 2024 14:52:33.994533062 CEST4972032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:33.999543905 CEST3258349720198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:34.000477076 CEST4972032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:34.872534990 CEST4972032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:34.877479076 CEST3258349720198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:35.573569059 CEST3258349720198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:35.576605082 CEST4972032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:35.576605082 CEST4972032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:35.581485033 CEST3258349720198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:36.589978933 CEST4972232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:36.594901085 CEST3258349722198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:36.594999075 CEST4972232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:36.598562002 CEST4972232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:36.606153011 CEST3258349722198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:38.134902000 CEST3258349722198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:38.134974003 CEST4972232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:38.135109901 CEST4972232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:38.139898062 CEST3258349722198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:39.150685072 CEST4972332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:39.155627966 CEST3258349723198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:39.155706882 CEST4972332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:39.160003901 CEST4972332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:39.164895058 CEST3258349723198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:40.698064089 CEST3258349723198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:40.698175907 CEST4972332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:40.698350906 CEST4972332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:40.703140020 CEST3258349723198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:41.712990046 CEST4972532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:41.718230963 CEST3258349725198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:41.718322992 CEST4972532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:41.722076893 CEST4972532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:41.726926088 CEST3258349725198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:43.260061026 CEST3258349725198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:43.260126114 CEST4972532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:43.262140036 CEST4972532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:43.266930103 CEST3258349725198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:44.275664091 CEST4973032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:44.280524969 CEST3258349730198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:44.280608892 CEST4973032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:44.284547091 CEST4973032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:44.289376974 CEST3258349730198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:45.880458117 CEST3258349730198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:45.880625963 CEST4973032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:45.880788088 CEST4973032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:45.885768890 CEST3258349730198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:46.885149002 CEST4973132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:46.890106916 CEST3258349731198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:46.890181065 CEST4973132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:46.894021988 CEST4973132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:46.901379108 CEST3258349731198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:48.466099024 CEST3258349731198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:48.466159105 CEST4973132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:48.466341972 CEST4973132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:48.471066952 CEST3258349731198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:49.496469975 CEST4973332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:49.502342939 CEST3258349733198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:49.502448082 CEST4973332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:49.506246090 CEST4973332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:49.511432886 CEST3258349733198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:51.061687946 CEST3258349733198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:51.061897039 CEST4973332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:51.061948061 CEST4973332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:51.066757917 CEST3258349733198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:52.072721004 CEST4973432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:52.077641010 CEST3258349734198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:52.078908920 CEST4973432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:52.083868980 CEST4973432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:52.088709116 CEST3258349734198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:53.710557938 CEST3258349734198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:53.710623980 CEST4973432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:53.710808039 CEST4973432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:53.954739094 CEST3258349734198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:53.954855919 CEST4973432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:53.960201979 CEST3258349734198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:54.713047981 CEST4973532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:54.867147923 CEST3258349735198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:54.867324114 CEST4973532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:55.002087116 CEST4973532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:55.081916094 CEST3258349735198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:56.432255983 CEST3258349735198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:56.432313919 CEST4973532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:56.432403088 CEST4973532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:56.437194109 CEST3258349735198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:57.447370052 CEST4973632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:57.452219963 CEST3258349736198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:57.452336073 CEST4973632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:57.456409931 CEST4973632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:57.461313009 CEST3258349736198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:59.016006947 CEST3258349736198.23.227.212192.168.2.5
                Sep 19, 2024 14:52:59.016129017 CEST4973632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:59.016292095 CEST4973632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:52:59.021017075 CEST3258349736198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:00.025544882 CEST4973732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:00.030374050 CEST3258349737198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:00.030494928 CEST4973732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:00.033873081 CEST4973732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:00.038696051 CEST3258349737198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:01.607285023 CEST3258349737198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:01.607405901 CEST4973732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:01.607597113 CEST4973732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:01.612271070 CEST3258349737198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:02.740283012 CEST4973832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:02.745400906 CEST3258349738198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:02.745486021 CEST4973832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:02.749298096 CEST4973832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:02.754194975 CEST3258349738198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:04.312758923 CEST3258349738198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:04.312880039 CEST4973832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:04.313060045 CEST4973832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:04.317874908 CEST3258349738198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:05.322509050 CEST4973932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:05.327491999 CEST3258349739198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:05.327589035 CEST4973932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:05.335896015 CEST4973932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:05.340745926 CEST3258349739198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:06.951649904 CEST3258349739198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:06.951778889 CEST4973932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:06.951983929 CEST4973932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:06.956728935 CEST3258349739198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:07.963051081 CEST4974032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:07.968136072 CEST3258349740198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:07.968209028 CEST4974032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:07.971487045 CEST4974032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:07.976284027 CEST3258349740198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:09.548722029 CEST3258349740198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:09.548832893 CEST4974032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:09.548991919 CEST4974032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:09.553759098 CEST3258349740198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:10.556854963 CEST4974132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:10.562136889 CEST3258349741198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:10.562213898 CEST4974132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:10.565608978 CEST4974132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:10.570650101 CEST3258349741198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:12.136049032 CEST3258349741198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:12.136126041 CEST4974132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:12.136315107 CEST4974132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:12.143212080 CEST3258349741198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:13.150602102 CEST4974232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:13.155577898 CEST3258349742198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:13.156483889 CEST4974232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:13.159903049 CEST4974232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:13.164968967 CEST3258349742198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:14.713562012 CEST3258349742198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:14.713699102 CEST4974232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:14.713844061 CEST4974232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:14.718635082 CEST3258349742198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:15.728777885 CEST4974332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:16.743717909 CEST4974332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:16.797522068 CEST3258349743198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:16.797687054 CEST4974332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:16.801321030 CEST4974332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:16.802057028 CEST3258349743198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:16.802119017 CEST4974332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:16.806114912 CEST3258349743198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:18.354993105 CEST3258349743198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:18.355118036 CEST4974332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:18.355274916 CEST4974332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:18.359998941 CEST3258349743198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:19.369501114 CEST4974432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:19.374500990 CEST3258349744198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:19.374592066 CEST4974432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:19.379476070 CEST4974432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:19.384360075 CEST3258349744198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:20.917206049 CEST3258349744198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:20.917326927 CEST4974432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:20.917511940 CEST4974432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:20.922333002 CEST3258349744198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:21.931740999 CEST4974632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:21.936784983 CEST3258349746198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:21.937306881 CEST4974632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:21.941800117 CEST4974632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:21.946713924 CEST3258349746198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:23.513030052 CEST3258349746198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:23.513235092 CEST4974632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:23.513372898 CEST4974632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:23.518208981 CEST3258349746198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:24.528507948 CEST4974832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:24.533392906 CEST3258349748198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:24.533473969 CEST4974832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:24.539318085 CEST4974832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:24.551264048 CEST3258349748198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:26.151535034 CEST3258349748198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:26.151715994 CEST4974832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:26.151832104 CEST4974832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:26.156697989 CEST3258349748198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:27.166193962 CEST4974932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:27.181257963 CEST3258349749198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:27.181523085 CEST4974932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:27.201807022 CEST4974932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:27.206763029 CEST3258349749198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:28.747468948 CEST3258349749198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:28.751224041 CEST4974932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:28.751396894 CEST4974932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:28.756218910 CEST3258349749198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:29.768021107 CEST4975032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:30.341738939 CEST3258349750198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:30.341840982 CEST4975032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:30.345297098 CEST4975032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:30.352437019 CEST3258349750198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:31.934734106 CEST3258349750198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:31.934813023 CEST4975032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:31.934880972 CEST4975032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:31.940794945 CEST3258349750198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:32.947474957 CEST4975132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:32.952367067 CEST3258349751198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:32.952505112 CEST4975132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:32.955842972 CEST4975132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:32.960709095 CEST3258349751198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:34.550148010 CEST3258349751198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:34.550283909 CEST4975132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:34.550425053 CEST4975132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:34.555371046 CEST3258349751198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:35.565145969 CEST4975232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:35.570261002 CEST3258349752198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:35.570374012 CEST4975232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:35.632159948 CEST4975232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:35.636996031 CEST3258349752198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:37.159321070 CEST3258349752198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:37.159502983 CEST4975232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:37.159636974 CEST4975232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:37.167473078 CEST3258349752198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:38.166440010 CEST4975332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:38.171760082 CEST3258349753198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:38.171873093 CEST4975332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:38.175456047 CEST4975332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:38.180330038 CEST3258349753198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:39.762298107 CEST3258349753198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:39.762402058 CEST4975332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:39.762552023 CEST4975332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:39.768085003 CEST3258349753198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:40.775804996 CEST4975432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:40.780925989 CEST3258349754198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:40.781002998 CEST4975432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:40.784720898 CEST4975432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:40.789525986 CEST3258349754198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:42.358622074 CEST3258349754198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:42.358721018 CEST4975432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:42.358947992 CEST4975432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:42.365087986 CEST3258349754198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:43.369270086 CEST4975532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:43.374275923 CEST3258349755198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:43.374372959 CEST4975532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:43.377715111 CEST4975532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:43.382570982 CEST3258349755198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:45.055145979 CEST3258349755198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:45.058650017 CEST4975532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:45.058850050 CEST4975532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:45.063605070 CEST3258349755198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:46.072633028 CEST4975632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:46.077759027 CEST3258349756198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:46.077866077 CEST4975632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:46.081187010 CEST4975632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:46.086237907 CEST3258349756198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:47.655781984 CEST3258349756198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:47.659025908 CEST4975632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:47.659209967 CEST4975632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:47.664102077 CEST3258349756198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:48.679610014 CEST4975732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:48.684705973 CEST3258349757198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:48.684779882 CEST4975732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:48.689882994 CEST4975732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:48.694672108 CEST3258349757198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:50.976135969 CEST3258349757198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:50.976216078 CEST3258349757198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:50.976382017 CEST4975732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:50.976382017 CEST4975732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:50.976387024 CEST3258349757198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:50.976428032 CEST4975732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:50.976480007 CEST4975732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:50.982228994 CEST3258349757198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:51.978769064 CEST4975832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:51.983762026 CEST3258349758198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:51.983901978 CEST4975832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:51.987509012 CEST4975832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:51.992415905 CEST3258349758198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:53.527559996 CEST3258349758198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:53.528548002 CEST4975832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:53.528745890 CEST4975832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:53.533556938 CEST3258349758198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:54.541134119 CEST4975932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:54.546360016 CEST3258349759198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:54.546474934 CEST4975932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:54.549283028 CEST4975932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:54.554323912 CEST3258349759198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:56.111242056 CEST3258349759198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:56.112793922 CEST4975932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:56.112793922 CEST4975932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:56.117789984 CEST3258349759198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:57.119178057 CEST4976032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:57.124155998 CEST3258349760198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:57.124526024 CEST4976032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:57.127760887 CEST4976032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:57.132828951 CEST3258349760198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:58.687359095 CEST3258349760198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:58.687764883 CEST4976032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:58.687973022 CEST4976032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:58.692842007 CEST3258349760198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:59.742592096 CEST4976132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:59.747581959 CEST3258349761198.23.227.212192.168.2.5
                Sep 19, 2024 14:53:59.747664928 CEST4976132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:59.754394054 CEST4976132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:53:59.759623051 CEST3258349761198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:01.308805943 CEST3258349761198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:01.308898926 CEST4976132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:01.309037924 CEST4976132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:01.313817024 CEST3258349761198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:02.309520960 CEST4976232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:02.314806938 CEST3258349762198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:02.314928055 CEST4976232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:02.318291903 CEST4976232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:02.541008949 CEST3258349762198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:03.898729086 CEST3258349762198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:03.900262117 CEST4976232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:03.900396109 CEST4976232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:03.905235052 CEST3258349762198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:04.838084936 CEST4976332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:04.844188929 CEST3258349763198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:04.844311953 CEST4976332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:04.849019051 CEST4976332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:04.853864908 CEST3258349763198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:06.518373013 CEST3258349763198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:06.520574093 CEST4976332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:06.520829916 CEST4976332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:06.525609970 CEST3258349763198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:07.431869030 CEST4976432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:07.436950922 CEST3258349764198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:07.437083006 CEST4976432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:07.440496922 CEST4976432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:07.448437929 CEST3258349764198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:09.026490927 CEST3258349764198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:09.028558016 CEST4976432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:09.029717922 CEST4976432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:09.039092064 CEST3258349764198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:09.916023016 CEST4976532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:09.921008110 CEST3258349765198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:09.921091080 CEST4976532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:09.924428940 CEST4976532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:09.929328918 CEST3258349765198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:11.599678993 CEST3258349765198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:11.600522995 CEST4976532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:11.600665092 CEST4976532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:11.605608940 CEST3258349765198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:12.447355032 CEST4976632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:12.580149889 CEST3258349766198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:12.580248117 CEST4976632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:12.740673065 CEST4976632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:12.894577026 CEST3258349766198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:14.137198925 CEST3258349766198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:14.137294054 CEST4976632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:14.137399912 CEST4976632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:14.142261028 CEST3258349766198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:14.963244915 CEST4976732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:14.968122005 CEST3258349767198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:14.968244076 CEST4976732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:14.972963095 CEST4976732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:14.977684975 CEST3258349767198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:16.547554016 CEST3258349767198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:16.547703981 CEST4976732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:16.547823906 CEST4976732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:16.552614927 CEST3258349767198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:17.338025093 CEST4976832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:17.343017101 CEST3258349768198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:17.343327045 CEST4976832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:17.348341942 CEST4976832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:17.353404045 CEST3258349768198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:18.921420097 CEST3258349768198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:18.921513081 CEST4976832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:18.921700001 CEST4976832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:18.926597118 CEST3258349768198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:19.697386026 CEST4976932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:19.702377081 CEST3258349769198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:19.702490091 CEST4976932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:19.705770016 CEST4976932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:19.710630894 CEST3258349769198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:21.281567097 CEST3258349769198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:21.281640053 CEST4976932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:21.288876057 CEST4976932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:21.293782949 CEST3258349769198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:22.043282032 CEST4977032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:22.048521042 CEST3258349770198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:22.048593998 CEST4977032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:22.053492069 CEST4977032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:22.058509111 CEST3258349770198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:23.626887083 CEST3258349770198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:23.627003908 CEST4977032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:23.627129078 CEST4977032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:23.631849051 CEST3258349770198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:24.353656054 CEST4977132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:24.358644009 CEST3258349771198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:24.358727932 CEST4977132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:24.362427950 CEST4977132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:24.367363930 CEST3258349771198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:25.942123890 CEST3258349771198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:25.942625999 CEST4977132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:25.942832947 CEST4977132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:25.947571993 CEST3258349771198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:26.637341022 CEST4977232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:26.642328978 CEST3258349772198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:26.642421007 CEST4977232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:26.646440983 CEST4977232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:26.651297092 CEST3258349772198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:28.243572950 CEST3258349772198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:28.244478941 CEST4977232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:28.244478941 CEST4977232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:28.249342918 CEST3258349772198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:28.916578054 CEST4977332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:28.921967030 CEST3258349773198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:28.922075033 CEST4977332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:28.926374912 CEST4977332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:28.931366920 CEST3258349773198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:30.534392118 CEST3258349773198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:30.534465075 CEST4977332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:30.534590960 CEST4977332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:30.539350986 CEST3258349773198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:31.181860924 CEST4977432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:31.186917067 CEST3258349774198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:31.191138983 CEST4977432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:31.194534063 CEST4977432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:31.199378014 CEST3258349774198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:32.764153957 CEST3258349774198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:32.766686916 CEST4977432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:32.766856909 CEST4977432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:32.771626949 CEST3258349774198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:33.401283979 CEST4977532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:33.406408072 CEST3258349775198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:33.406547070 CEST4977532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:33.411819935 CEST4977532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:33.416724920 CEST3258349775198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:34.983733892 CEST3258349775198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:34.983942986 CEST4977532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:34.984302044 CEST4977532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:34.989202023 CEST3258349775198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:35.587974072 CEST4977632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:35.592927933 CEST3258349776198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:35.593033075 CEST4977632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:35.596376896 CEST4977632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:35.601301908 CEST3258349776198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:37.153166056 CEST3258349776198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:37.153991938 CEST4977632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:37.163295984 CEST4977632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:37.168148994 CEST3258349776198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:37.760149956 CEST4977732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:37.765173912 CEST3258349777198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:37.765263081 CEST4977732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:37.768345118 CEST4977732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:37.773212910 CEST3258349777198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:39.345036983 CEST3258349777198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:39.345124006 CEST4977732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:39.345352888 CEST4977732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:39.350152016 CEST3258349777198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:40.103806019 CEST4977832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:40.108827114 CEST3258349778198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:40.108923912 CEST4977832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:40.112355947 CEST4977832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:40.117158890 CEST3258349778198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:41.689261913 CEST3258349778198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:41.692625999 CEST4977832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:41.692723036 CEST4977832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:41.697659969 CEST3258349778198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:42.244453907 CEST4977932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:42.253211021 CEST3258349779198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:42.253299952 CEST4977932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:42.258245945 CEST4977932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:42.263189077 CEST3258349779198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:43.825824022 CEST3258349779198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:43.826006889 CEST4977932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:43.826381922 CEST4977932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:43.831192970 CEST3258349779198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:44.467135906 CEST4978032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:44.472206116 CEST3258349780198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:44.472320080 CEST4978032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:44.519701004 CEST4978032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:44.524996042 CEST3258349780198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:46.031903982 CEST3258349780198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:46.032560110 CEST4978032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:46.032958984 CEST4978032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:46.037780046 CEST3258349780198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:46.540983915 CEST4978132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:46.546025038 CEST3258349781198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:46.546154022 CEST4978132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:46.549339056 CEST4978132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:46.554167986 CEST3258349781198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:48.090140104 CEST3258349781198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:48.090251923 CEST4978132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:48.090451002 CEST4978132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:48.095916986 CEST3258349781198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:48.588005066 CEST4978232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:48.593147993 CEST3258349782198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:48.593255997 CEST4978232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:48.596519947 CEST4978232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:48.602247000 CEST3258349782198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:50.179783106 CEST3258349782198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:50.180011988 CEST4978232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:50.180299997 CEST4978232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:50.185029030 CEST3258349782198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:50.666304111 CEST4978332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:50.671475887 CEST3258349783198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:50.671566010 CEST4978332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:50.674824953 CEST4978332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:50.679713964 CEST3258349783198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:52.217161894 CEST3258349783198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:52.217806101 CEST4978332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:52.218080997 CEST4978332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:52.223000050 CEST3258349783198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:52.933496952 CEST4978432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:52.941610098 CEST3258349784198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:52.942503929 CEST4978432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:52.945358038 CEST4978432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:52.950525999 CEST3258349784198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:54.639885902 CEST3258349784198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:54.642709017 CEST4978432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:54.642904997 CEST4978432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:54.647742033 CEST3258349784198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:55.088505030 CEST4978532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:55.094588995 CEST3258349785198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:55.094682932 CEST4978532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:55.098129034 CEST4978532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:55.103871107 CEST3258349785198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:56.677170038 CEST3258349785198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:56.677325010 CEST4978532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:56.677534103 CEST4978532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:56.682560921 CEST3258349785198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:57.119505882 CEST4978632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:57.124453068 CEST3258349786198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:57.124540091 CEST4978632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:57.129735947 CEST4978632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:57.134742022 CEST3258349786198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:58.685105085 CEST3258349786198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:58.685179949 CEST4978632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:58.685298920 CEST4978632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:58.690090895 CEST3258349786198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:59.103578091 CEST4978732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:59.108721018 CEST3258349787198.23.227.212192.168.2.5
                Sep 19, 2024 14:54:59.108812094 CEST4978732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:59.111946106 CEST4978732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:54:59.116899014 CEST3258349787198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:00.684782982 CEST3258349787198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:00.688736916 CEST4978732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:00.688776016 CEST4978732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:00.697622061 CEST3258349787198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:01.103570938 CEST4978832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:01.108544111 CEST3258349788198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:01.108683109 CEST4978832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:01.112139940 CEST4978832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:01.117029905 CEST3258349788198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:02.965382099 CEST3258349788198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:02.965459108 CEST4978832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:02.965676069 CEST4978832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:03.353730917 CEST4978932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:03.431149960 CEST4978832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:03.437887907 CEST3258349788198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:03.438004017 CEST4978832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:03.438466072 CEST3258349788198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:03.438515902 CEST4978832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:03.444586992 CEST3258349788198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:03.444649935 CEST3258349789198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:03.444691896 CEST3258349788198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:03.444740057 CEST4978932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:03.444772005 CEST4978832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:03.632268906 CEST4978932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:03.637542009 CEST3258349789198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:05.015108109 CEST3258349789198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:05.015292883 CEST4978932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:05.015459061 CEST4978932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:05.020255089 CEST3258349789198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:05.400702953 CEST4979032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:05.414050102 CEST3258349790198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:05.414138079 CEST4979032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:05.420162916 CEST4979032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:05.425048113 CEST3258349790198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:06.981379032 CEST3258349790198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:06.981471062 CEST4979032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:06.981638908 CEST4979032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:06.987102985 CEST3258349790198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:07.353660107 CEST4979132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:07.358694077 CEST3258349791198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:07.358784914 CEST4979132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:07.362472057 CEST4979132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:07.367547989 CEST3258349791198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:08.920078993 CEST3258349791198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:08.922869921 CEST4979132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:08.922993898 CEST4979132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:08.927836895 CEST3258349791198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:09.609458923 CEST4979232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:09.614559889 CEST3258349792198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:09.614667892 CEST4979232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:09.618160009 CEST4979232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:09.623086929 CEST3258349792198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:11.208857059 CEST3258349792198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:11.208960056 CEST4979232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:11.209357977 CEST4979232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:11.214189053 CEST3258349792198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:11.626303911 CEST4979332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:11.631309986 CEST3258349793198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:11.631402969 CEST4979332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:11.636076927 CEST4979332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:11.640888929 CEST3258349793198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:13.271634102 CEST3258349793198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:13.271815062 CEST4979332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:13.272269964 CEST4979332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:13.277153015 CEST3258349793198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:13.683227062 CEST4979432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:13.688508987 CEST3258349794198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:13.688595057 CEST4979432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:13.693872929 CEST4979432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:13.698784113 CEST3258349794198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:15.266717911 CEST3258349794198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:15.266891003 CEST4979432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:15.267076969 CEST4979432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:15.271980047 CEST3258349794198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:15.608669996 CEST4979532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:15.614118099 CEST3258349795198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:15.614242077 CEST4979532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:15.617520094 CEST4979532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:15.622504950 CEST3258349795198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:17.185693026 CEST3258349795198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:17.185810089 CEST4979532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:17.185977936 CEST4979532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:17.190793037 CEST3258349795198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:17.616434097 CEST4979632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:17.621690035 CEST3258349796198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:17.624620914 CEST4979632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:17.627943039 CEST4979632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:17.632926941 CEST3258349796198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:19.204211950 CEST3258349796198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:19.204292059 CEST4979632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:19.204406977 CEST4979632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:19.209230900 CEST3258349796198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:19.509825945 CEST4979732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:19.514810085 CEST3258349797198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:19.514911890 CEST4979732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:19.518301010 CEST4979732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:19.523195028 CEST3258349797198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:21.533888102 CEST3258349797198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:21.534008980 CEST3258349797198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:21.534101009 CEST3258349797198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:21.534203053 CEST4979732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:21.534203053 CEST4979732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:21.534348965 CEST4979732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:21.539309025 CEST3258349797198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:21.842005014 CEST4979832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:21.848633051 CEST3258349798198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:21.848725080 CEST4979832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:21.853677034 CEST4979832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:21.859680891 CEST3258349798198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:23.610335112 CEST3258349798198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:23.610666990 CEST4979832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:23.610821962 CEST4979832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:23.615746975 CEST3258349798198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:23.900388956 CEST4979932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:23.905380964 CEST3258349799198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:23.908621073 CEST4979932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:23.911923885 CEST4979932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:23.916846037 CEST3258349799198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:25.500510931 CEST3258349799198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:25.500715971 CEST4979932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:25.500767946 CEST4979932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:25.507294893 CEST3258349799198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:25.812912941 CEST4980032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:25.818088055 CEST3258349800198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:25.818195105 CEST4980032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:25.821623087 CEST4980032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:25.826549053 CEST3258349800198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:27.391947031 CEST3258349800198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:27.392054081 CEST4980032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:27.392244101 CEST4980032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:27.397222996 CEST3258349800198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:27.772664070 CEST4980132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:27.777714968 CEST3258349801198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:27.777806044 CEST4980132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:27.781431913 CEST4980132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:27.786247015 CEST3258349801198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:29.357235909 CEST3258349801198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:29.359496117 CEST4980132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:29.359672070 CEST4980132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:29.364509106 CEST3258349801198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:29.735301018 CEST4980232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:29.740293026 CEST3258349802198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:29.742677927 CEST4980232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:29.768490076 CEST4980232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:29.773411989 CEST3258349802198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:31.312200069 CEST3258349802198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:31.312314034 CEST4980232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:31.312526941 CEST4980232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:31.317301989 CEST3258349802198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:31.562551022 CEST4980332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:31.567569017 CEST3258349803198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:31.567665100 CEST4980332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:31.571070910 CEST4980332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:31.575922012 CEST3258349803198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:33.139997005 CEST3258349803198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:33.140228033 CEST4980332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:33.140273094 CEST4980332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:33.145185947 CEST3258349803198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:33.417524099 CEST4980432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:33.422708988 CEST3258349804198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:33.422821999 CEST4980432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:33.426119089 CEST4980432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:33.431070089 CEST3258349804198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:34.986121893 CEST3258349804198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:34.986705065 CEST4980432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:34.986942053 CEST4980432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:34.991796017 CEST3258349804198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:35.273324013 CEST4980532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:35.278350115 CEST3258349805198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:35.278516054 CEST4980532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:35.281863928 CEST4980532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:35.286814928 CEST3258349805198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:36.880026102 CEST3258349805198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:36.880675077 CEST4980532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:36.880800009 CEST4980532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:36.885662079 CEST3258349805198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:37.232485056 CEST4980632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:37.237454891 CEST3258349806198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:37.240612984 CEST4980632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:37.320818901 CEST4980632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:37.325725079 CEST3258349806198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:38.812517881 CEST3258349806198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:38.812702894 CEST4980632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:38.812820911 CEST4980632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:38.817783117 CEST3258349806198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:39.212410927 CEST4980732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:39.217549086 CEST3258349807198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:39.217642069 CEST4980732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:39.222349882 CEST4980732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:39.227406025 CEST3258349807198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:40.763705969 CEST3258349807198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:40.763844967 CEST4980732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:40.763922930 CEST4980732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:40.768897057 CEST3258349807198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:41.068403006 CEST4980832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:41.073465109 CEST3258349808198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:41.073591948 CEST4980832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:41.076956034 CEST4980832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:41.081989050 CEST3258349808198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:42.830462933 CEST3258349808198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:42.832645893 CEST4980832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:42.832823992 CEST4980832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:42.838011980 CEST3258349808198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:43.116049051 CEST4980932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:43.121038914 CEST3258349809198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:43.122893095 CEST4980932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:43.126379967 CEST4980932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:43.131211996 CEST3258349809198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:44.707576990 CEST3258349809198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:44.707653999 CEST4980932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:44.707845926 CEST4980932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:44.712779045 CEST3258349809198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:44.967116117 CEST4981032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:44.972330093 CEST3258349810198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:44.972446918 CEST4981032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:44.975923061 CEST4981032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:44.980803967 CEST3258349810198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:46.547820091 CEST3258349810198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:46.547910929 CEST4981032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:46.548022032 CEST4981032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:46.552875996 CEST3258349810198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:47.101470947 CEST4981132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:47.106695890 CEST3258349811198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:47.108653069 CEST4981132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:47.147878885 CEST4981132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:47.152750969 CEST3258349811198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:48.670227051 CEST3258349811198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:48.670309067 CEST4981132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:48.670603037 CEST4981132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:48.675466061 CEST3258349811198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:49.000113010 CEST4981232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:49.005078077 CEST3258349812198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:49.007126093 CEST4981232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:49.010428905 CEST4981232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:49.015454054 CEST3258349812198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:50.560307980 CEST3258349812198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:50.560437918 CEST4981232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:50.560694933 CEST4981232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:50.565488100 CEST3258349812198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:50.903871059 CEST4981332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:50.909105062 CEST3258349813198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:50.910722971 CEST4981332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:50.914377928 CEST4981332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:50.919313908 CEST3258349813198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:52.500808954 CEST3258349813198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:52.500912905 CEST4981332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:52.501127005 CEST4981332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:52.507492065 CEST3258349813198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:52.862149954 CEST4981432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:52.867326021 CEST3258349814198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:52.867461920 CEST4981432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:52.872328043 CEST4981432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:52.877101898 CEST3258349814198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:54.453018904 CEST3258349814198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:54.453269005 CEST4981432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:54.456140995 CEST4981432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:54.460948944 CEST3258349814198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:54.779515982 CEST4981532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:54.784645081 CEST3258349815198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:54.784758091 CEST4981532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:54.789495945 CEST4981532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:54.794795036 CEST3258349815198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:56.361438036 CEST3258349815198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:56.361526966 CEST4981532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:56.361716986 CEST4981532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:56.366501093 CEST3258349815198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:56.703238010 CEST4981632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:56.708115101 CEST3258349816198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:56.708646059 CEST4981632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:56.712337971 CEST4981632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:56.717237949 CEST3258349816198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:58.308229923 CEST3258349816198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:58.308418036 CEST4981632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:58.308568001 CEST4981632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:58.313322067 CEST3258349816198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:58.567123890 CEST4981732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:58.572099924 CEST3258349817198.23.227.212192.168.2.5
                Sep 19, 2024 14:55:58.572237015 CEST4981732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:58.576112032 CEST4981732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:55:58.580919027 CEST3258349817198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:00.140721083 CEST3258349817198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:00.143402100 CEST4981732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:00.143402100 CEST4981732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:00.148319006 CEST3258349817198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:00.402509928 CEST4981832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:00.407943964 CEST3258349818198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:00.408152103 CEST4981832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:00.428431988 CEST4981832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:00.433715105 CEST3258349818198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:01.982851982 CEST3258349818198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:01.983339071 CEST4981832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:01.983339071 CEST4981832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:01.988291025 CEST3258349818198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:02.284939051 CEST4981932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:02.290141106 CEST3258349819198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:02.290281057 CEST4981932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:02.293914080 CEST4981932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:02.298790932 CEST3258349819198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:03.883785963 CEST3258349819198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:03.884617090 CEST4981932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:03.884905100 CEST4981932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:03.889735937 CEST3258349819198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:04.161488056 CEST4982032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:04.166555882 CEST3258349820198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:04.166815042 CEST4982032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:04.170861959 CEST4982032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:04.175717115 CEST3258349820198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:05.720983028 CEST3258349820198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:05.724651098 CEST4982032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:05.724873066 CEST4982032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:05.729640007 CEST3258349820198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:06.347522974 CEST4982132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:06.352560043 CEST3258349821198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:06.352715015 CEST4982132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:06.369915962 CEST4982132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:06.374701977 CEST3258349821198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:08.065128088 CEST3258349821198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:08.068766117 CEST4982132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:08.069000959 CEST4982132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:08.073802948 CEST3258349821198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:08.391654968 CEST4982232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:08.396502018 CEST3258349822198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:08.396749973 CEST4982232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:08.400381088 CEST4982232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:08.405237913 CEST3258349822198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:09.967767954 CEST3258349822198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:09.967988014 CEST4982232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:09.968195915 CEST4982232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:09.972961903 CEST3258349822198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:10.255125999 CEST4982332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:10.260025024 CEST3258349823198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:10.260107994 CEST4982332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:10.263458967 CEST4982332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:10.268291950 CEST3258349823198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:11.849857092 CEST3258349823198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:11.849951029 CEST4982332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:11.850078106 CEST4982332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:11.854792118 CEST3258349823198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:11.978535891 CEST4982432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:12.138118029 CEST3258349824198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:12.138273001 CEST4982432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:12.205127954 CEST4982432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:12.210092068 CEST3258349824198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:13.701663971 CEST3258349824198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:13.701730967 CEST4982432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:13.701859951 CEST4982432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:13.706655979 CEST3258349824198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:13.977427006 CEST4982532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:13.982388973 CEST3258349825198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:13.982578993 CEST4982532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:13.987428904 CEST4982532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:13.992234945 CEST3258349825198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:15.565756083 CEST3258349825198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:15.568650007 CEST4982532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:15.568813086 CEST4982532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:15.788314104 CEST3258349825198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:15.833386898 CEST4982632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:15.838517904 CEST3258349826198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:15.838603973 CEST4982632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:15.842001915 CEST4982632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:15.847142935 CEST3258349826198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:17.405141115 CEST3258349826198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:17.405509949 CEST4982632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:17.405654907 CEST4982632583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:17.410410881 CEST3258349826198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:17.705889940 CEST4982732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:17.711092949 CEST3258349827198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:17.711184025 CEST4982732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:17.714737892 CEST4982732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:17.719541073 CEST3258349827198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:19.265055895 CEST3258349827198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:19.265194893 CEST4982732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:19.265371084 CEST4982732583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:19.271558046 CEST3258349827198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:19.552964926 CEST4982832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:19.557845116 CEST3258349828198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:19.557933092 CEST4982832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:19.581404924 CEST4982832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:19.586597919 CEST3258349828198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:21.143318892 CEST3258349828198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:21.143403053 CEST4982832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:21.143580914 CEST4982832583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:21.148313046 CEST3258349828198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:21.434211016 CEST4982932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:21.439141989 CEST3258349829198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:21.439224958 CEST4982932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:21.442589998 CEST4982932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:21.447818995 CEST3258349829198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:23.019026995 CEST3258349829198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:23.019231081 CEST4982932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:23.019294977 CEST4982932583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:23.024143934 CEST3258349829198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:23.119256973 CEST4983032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:23.124368906 CEST3258349830198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:23.124440908 CEST4983032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:23.373688936 CEST4983032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:23.378746033 CEST3258349830198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:24.686070919 CEST3258349830198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:24.688730955 CEST4983032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:24.688880920 CEST4983032583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:24.693777084 CEST3258349830198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:24.977365017 CEST4983132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:24.982357025 CEST3258349831198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:24.982449055 CEST4983132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:24.985764980 CEST4983132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:24.990561008 CEST3258349831198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:26.547091961 CEST3258349831198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:26.547301054 CEST4983132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:26.547806978 CEST4983132583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:26.552797079 CEST3258349831198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:26.851061106 CEST4983232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:26.856059074 CEST3258349832198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:26.856724977 CEST4983232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:26.860060930 CEST4983232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:26.865910053 CEST3258349832198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:29.388452053 CEST3258349832198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:29.389044046 CEST3258349832198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:29.389219999 CEST4983232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:29.389436960 CEST3258349832198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:29.390077114 CEST3258349832198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:29.390434027 CEST4983232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:29.390772104 CEST4983232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:29.392096043 CEST4983232583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:29.401216984 CEST3258349832198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:29.685467958 CEST4983332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:29.690980911 CEST3258349833198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:29.692462921 CEST4983332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:29.695712090 CEST4983332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:29.700680017 CEST3258349833198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:31.369718075 CEST3258349833198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:31.369951010 CEST4983332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:31.369951010 CEST4983332583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:31.374877930 CEST3258349833198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:31.679946899 CEST4983432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:31.684959888 CEST3258349834198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:31.685065985 CEST4983432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:31.688515902 CEST4983432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:31.693320990 CEST3258349834198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:33.232973099 CEST3258349834198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:33.235479116 CEST4983432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:33.235794067 CEST4983432583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:33.240636110 CEST3258349834198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:33.491575003 CEST4983532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:33.496467113 CEST3258349835198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:33.496584892 CEST4983532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:33.499963045 CEST4983532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:33.504745960 CEST3258349835198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:35.047420979 CEST3258349835198.23.227.212192.168.2.5
                Sep 19, 2024 14:56:35.047492027 CEST4983532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:35.047625065 CEST4983532583192.168.2.5198.23.227.212
                Sep 19, 2024 14:56:35.052592039 CEST3258349835198.23.227.212192.168.2.5

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:08:52:26
                Start date:19/09/2024
                Path:C:\Users\user\Desktop\documents-pdf.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\documents-pdf.exe"
                Imagebase:0x400000
                File size:456'704 bytes
                MD5 hash:12D7E4DBCB67711B60C8F626D81C7438
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2128363256.000000000093D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2128430234.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000003.2038922031.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                Reputation:low
                Has exited:true

                General

                Target ID:3
                Start time:08:52:26
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 956
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:5
                Start time:08:52:27
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1128
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:7
                Start time:08:52:29
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1136
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:9
                Start time:08:52:29
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1164
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:11
                Start time:08:52:30
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1156
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:13
                Start time:08:52:31
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1212
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:15
                Start time:08:52:32
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1252
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:16
                Start time:08:52:32
                Start date:19/09/2024
                Path:C:\Users\user\AppData\Roaming\yava_explore.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Roaming\yava_explore.exe"
                Imagebase:0x400000
                File size:456'704 bytes
                MD5 hash:12D7E4DBCB67711B60C8F626D81C7438
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.4507176842.000000000081D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000010.00000002.4507148871.00000000007D9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.4507176842.0000000000828000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000010.00000003.2103257618.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000010.00000002.4507281694.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: unknown
                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: unknown
                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000010.00000002.4506857118.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: ditekSHen
                Antivirus matches:
                • Detection: 76%, ReversingLabs
                Reputation:low
                Has exited:false

                General

                Target ID:18
                Start time:08:52:32
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1380
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:20
                Start time:08:52:33
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 684
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:22
                Start time:08:52:33
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 744
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:24
                Start time:08:52:35
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 776
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:26
                Start time:08:52:36
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 680
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:28
                Start time:08:52:37
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 684
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:30
                Start time:08:52:38
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 732
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:31
                Start time:08:52:39
                Start date:19/09/2024
                Path:C:\Users\user\AppData\Roaming\yava_explore.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Roaming\yava_explore.exe"
                Imagebase:0x400000
                File size:456'704 bytes
                MD5 hash:12D7E4DBCB67711B60C8F626D81C7438
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001F.00000002.2190431886.000000000067C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.2190470825.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001F.00000003.2174054334.0000000002290000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: unknown
                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: unknown
                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001F.00000002.2190120515.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001F.00000002.2190598574.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                Has exited:true

                General

                Target ID:33
                Start time:08:52:40
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 580
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:35
                Start time:08:52:40
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 780
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:37
                Start time:08:52:41
                Start date:19/09/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 716
                Imagebase:0x610000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:1.2%
                  Dynamic/Decrypted Code Coverage:3.6%
                  Signature Coverage:28.4%
                  Total number of Nodes:774
                  Total number of Limit Nodes:21
                  execution_graph 87854 85003c 87855 850049 87854->87855 87869 850e0f SetErrorMode SetErrorMode 87855->87869 87860 850265 87861 8502ce VirtualProtect 87860->87861 87863 85030b 87861->87863 87862 850439 VirtualFree 87867 8505f4 LoadLibraryA 87862->87867 87868 8504be 87862->87868 87863->87862 87864 8504e3 LoadLibraryA 87864->87868 87866 8508c7 87867->87866 87868->87864 87868->87867 87870 850223 87869->87870 87871 850d90 87870->87871 87872 850dad 87871->87872 87873 850dbb GetPEB 87872->87873 87874 850238 VirtualAlloc 87872->87874 87873->87874 87874->87860 87875 434918 87876 434924 ___DestructExceptionObject 87875->87876 87902 434627 87876->87902 87878 43492b 87880 434954 87878->87880 88190 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 87878->88190 87888 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 87880->87888 88191 4442d2 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 87880->88191 87882 43496d 87883 434973 ___DestructExceptionObject 87882->87883 88192 444276 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 87882->88192 87885 4349f3 87913 434ba5 87885->87913 87888->87885 88193 443487 35 API calls 5 library calls 87888->88193 87895 434a15 87896 434a1f 87895->87896 88195 4434bf 28 API calls _abort 87895->88195 87898 434a28 87896->87898 88196 443462 28 API calls _abort 87896->88196 88197 43479e 13 API calls 2 library calls 87898->88197 87901 434a30 87901->87883 87903 434630 87902->87903 88198 434cb6 IsProcessorFeaturePresent 87903->88198 87905 43463c 88199 438fb1 10 API calls 4 library calls 87905->88199 87907 434641 87908 434645 87907->87908 88200 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 87907->88200 87908->87878 87910 43464e 87911 43465c 87910->87911 88201 438fda 8 API calls 3 library calls 87910->88201 87911->87878 88202 436f10 87913->88202 87916 4349f9 87917 444223 87916->87917 88204 44f0d9 87917->88204 87919 434a02 87922 40ea00 87919->87922 87920 44422c 87920->87919 88208 446895 35 API calls 87920->88208 88210 41cbe1 LoadLibraryA GetProcAddress 87922->88210 87924 40ea1c GetModuleFileNameW 88215 40f3fe 87924->88215 87926 40ea38 88230 4020f6 87926->88230 87929 4020f6 29 API calls 87930 40ea56 87929->87930 88236 41beac 87930->88236 87934 40ea68 88262 401e8d 87934->88262 87936 40ea71 87937 40ea84 87936->87937 87938 40eace 87936->87938 88399 40fbee 117 API calls 87937->88399 88268 401e65 87938->88268 87941 40ea96 87943 401e65 22 API calls 87941->87943 87942 40eade 87945 401e65 22 API calls 87942->87945 87944 40eaa2 87943->87944 88400 410f72 37 API calls __EH_prolog 87944->88400 87946 40eafd 87945->87946 88273 40531e 87946->88273 87949 40eb0c 88278 406383 87949->88278 87950 40eab4 88401 40fb9f 78 API calls 87950->88401 87954 40eabd 88402 40f3eb 71 API calls 87954->88402 87960 401fd8 11 API calls 87962 40ef36 87960->87962 87961 401fd8 11 API calls 87963 40eb36 87961->87963 88194 443396 GetModuleHandleW 87962->88194 87964 401e65 22 API calls 87963->87964 87965 40eb3f 87964->87965 88295 401fc0 87965->88295 87967 40eb4a 87968 401e65 22 API calls 87967->87968 87969 40eb63 87968->87969 87970 401e65 22 API calls 87969->87970 87971 40eb7e 87970->87971 87972 40ebe9 87971->87972 88403 406c59 29 API calls 87971->88403 87973 401e65 22 API calls 87972->87973 87978 40ebf6 87973->87978 87975 40ebab 87976 401fe2 29 API calls 87975->87976 87977 40ebb7 87976->87977 87980 401fd8 11 API calls 87977->87980 87979 40ec3d 87978->87979 87985 413584 3 API calls 87978->87985 88299 40d0a4 87979->88299 87981 40ebc0 87980->87981 88404 413584 RegOpenKeyExA 87981->88404 87983 40ec43 87984 40eac6 87983->87984 88302 41b354 87983->88302 87984->87960 87991 40ec21 87985->87991 87989 40f38a 88504 4139e4 31 API calls 87989->88504 87990 40ec5e 87993 40ecb1 87990->87993 88319 407751 87990->88319 87991->87979 88407 4139e4 31 API calls 87991->88407 87994 401e65 22 API calls 87993->87994 87997 40ecba 87994->87997 88006 40ecc6 87997->88006 88007 40eccb 87997->88007 87999 40f3a0 88505 4124b0 66 API calls ___scrt_fastfail 87999->88505 88000 40ec87 88004 401e65 22 API calls 88000->88004 88001 40ec7d 88408 407773 31 API calls 88001->88408 88016 40ec90 88004->88016 88005 40f388 88506 41bcef 28 API calls 88005->88506 88411 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 88006->88411 88012 401e65 22 API calls 88007->88012 88008 40ec82 88409 40729b 97 API calls 88008->88409 88014 40ecd4 88012->88014 88013 40f3ba 88507 413a5e RegOpenKeyExW RegDeleteValueW 88013->88507 88323 41bcef 28 API calls 88014->88323 88016->87993 88019 40ecac 88016->88019 88018 40ecdf 88324 401f13 28 API calls 88018->88324 88410 40729b 97 API calls 88019->88410 88020 40f3cd 88023 401f09 11 API calls 88020->88023 88026 40f3d7 88023->88026 88024 40ecea 88325 401f09 88024->88325 88028 401f09 11 API calls 88026->88028 88030 40f3e0 88028->88030 88029 401e65 22 API calls 88031 40ecfc 88029->88031 88508 40dd7d 27 API calls 88030->88508 88035 401e65 22 API calls 88031->88035 88033 40f3e5 88509 414f65 170 API calls _strftime 88033->88509 88037 40ed16 88035->88037 88038 401e65 22 API calls 88037->88038 88039 40ed30 88038->88039 88040 401e65 22 API calls 88039->88040 88041 40ed49 88040->88041 88042 40edb6 88041->88042 88043 401e65 22 API calls 88041->88043 88044 40edc5 88042->88044 88048 40ef41 ___scrt_fastfail 88042->88048 88047 40ed5e _wcslen 88043->88047 88045 401e65 22 API calls 88044->88045 88051 40ee4a 88044->88051 88046 40edd7 88045->88046 88049 401e65 22 API calls 88046->88049 88047->88042 88052 401e65 22 API calls 88047->88052 88474 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 88048->88474 88050 40ede9 88049->88050 88055 401e65 22 API calls 88050->88055 88073 40ee45 ___scrt_fastfail 88051->88073 88053 40ed79 88052->88053 88057 401e65 22 API calls 88053->88057 88056 40edfb 88055->88056 88060 401e65 22 API calls 88056->88060 88058 40ed8e 88057->88058 88412 40da6f 88058->88412 88059 40ef8c 88061 401e65 22 API calls 88059->88061 88063 40ee24 88060->88063 88064 40efb1 88061->88064 88068 401e65 22 API calls 88063->88068 88475 402093 88064->88475 88067 40edad 88071 401f09 11 API calls 88067->88071 88072 40ee35 88068->88072 88070 40efc3 88481 4137aa 14 API calls 88070->88481 88071->88042 88328 40ce34 88072->88328 88073->88051 88471 413982 32 API calls 88073->88471 88077 40efd9 88079 401e65 22 API calls 88077->88079 88078 40eede ctype 88081 401e65 22 API calls 88078->88081 88080 40efe5 88079->88080 88482 43bb2c 39 API calls _strftime 88080->88482 88084 40eef5 88081->88084 88083 40eff2 88085 40f01f 88083->88085 88483 41ce2c 87 API calls ___scrt_fastfail 88083->88483 88084->88059 88086 401e65 22 API calls 88084->88086 88089 402093 29 API calls 88085->88089 88087 40ef12 88086->88087 88472 41bcef 28 API calls 88087->88472 88092 40f034 88089->88092 88091 40f003 CreateThread 88091->88085 88812 41d4ee 10 API calls 88091->88812 88094 402093 29 API calls 88092->88094 88093 40ef1e 88473 40f4af 107 API calls 88093->88473 88096 40f043 88094->88096 88484 41b580 80 API calls 88096->88484 88097 40ef23 88097->88059 88099 40ef2a 88097->88099 88099->87984 88100 40f048 88101 401e65 22 API calls 88100->88101 88102 40f054 88101->88102 88103 401e65 22 API calls 88102->88103 88104 40f066 88103->88104 88105 401e65 22 API calls 88104->88105 88106 40f086 88105->88106 88485 43bb2c 39 API calls _strftime 88106->88485 88108 40f093 88109 401e65 22 API calls 88108->88109 88110 40f09e 88109->88110 88111 401e65 22 API calls 88110->88111 88112 40f0af 88111->88112 88113 401e65 22 API calls 88112->88113 88114 40f0c4 88113->88114 88115 401e65 22 API calls 88114->88115 88116 40f0d5 88115->88116 88117 40f0dc StrToIntA 88116->88117 88486 409e1f 172 API calls _wcslen 88117->88486 88119 40f0ee 88120 401e65 22 API calls 88119->88120 88121 40f0f7 88120->88121 88122 40f13c 88121->88122 88487 43455e 88121->88487 88124 401e65 22 API calls 88122->88124 88130 40f14c 88124->88130 88126 401e65 22 API calls 88127 40f11f 88126->88127 88128 40f126 CreateThread 88127->88128 88128->88122 88808 41a045 110 API calls 2 library calls 88128->88808 88129 40f194 88131 401e65 22 API calls 88129->88131 88130->88129 88132 43455e new 22 API calls 88130->88132 88137 40f19d 88131->88137 88133 40f161 88132->88133 88134 401e65 22 API calls 88133->88134 88135 40f173 88134->88135 88138 40f17a CreateThread 88135->88138 88136 40f207 88139 401e65 22 API calls 88136->88139 88137->88136 88140 401e65 22 API calls 88137->88140 88138->88129 88813 41a045 110 API calls 2 library calls 88138->88813 88143 40f210 88139->88143 88141 40f1b9 88140->88141 88144 401e65 22 API calls 88141->88144 88142 40f255 88498 41b69e 81 API calls 88142->88498 88143->88142 88146 401e65 22 API calls 88143->88146 88147 40f1ce 88144->88147 88149 40f225 88146->88149 88494 40da23 33 API calls 88147->88494 88148 40f25e 88499 401f13 28 API calls 88148->88499 88155 401e65 22 API calls 88149->88155 88151 40f269 88154 401f09 11 API calls 88151->88154 88153 40f1e1 88495 401f13 28 API calls 88153->88495 88158 40f272 CreateThread 88154->88158 88156 40f23a 88155->88156 88496 43bb2c 39 API calls _strftime 88156->88496 88161 40f293 CreateThread 88158->88161 88162 40f29f 88158->88162 88809 40f7e2 121 API calls 88158->88809 88159 40f1ed 88163 401f09 11 API calls 88159->88163 88161->88162 88807 412132 139 API calls 88161->88807 88164 40f2b4 88162->88164 88165 40f2a8 CreateThread 88162->88165 88167 40f1f6 CreateThread 88163->88167 88169 40f307 88164->88169 88171 402093 29 API calls 88164->88171 88165->88164 88810 412716 39 API calls ___scrt_fastfail 88165->88810 88167->88136 88811 401be9 50 API calls _strftime 88167->88811 88168 40f247 88497 40c19d 7 API calls 88168->88497 88501 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 88169->88501 88172 40f2d7 88171->88172 88500 4052fd 29 API calls 88172->88500 88175 40f31f 88175->88030 88502 41bcef 28 API calls 88175->88502 88180 40f338 88503 413656 31 API calls 88180->88503 88185 40f34e 88186 401f09 11 API calls 88185->88186 88188 40f359 88186->88188 88187 40f381 DeleteFileW 88187->88005 88187->88188 88188->88005 88188->88187 88189 40f36f Sleep 88188->88189 88189->88188 88190->87878 88191->87882 88192->87888 88193->87885 88194->87895 88195->87896 88196->87898 88197->87901 88198->87905 88199->87907 88200->87910 88201->87908 88203 434bb8 GetStartupInfoW 88202->88203 88203->87916 88205 44f0eb 88204->88205 88206 44f0e2 88204->88206 88205->87920 88209 44efd8 48 API calls 4 library calls 88206->88209 88208->87920 88209->88205 88211 41cc20 LoadLibraryA GetProcAddress 88210->88211 88212 41cc10 GetModuleHandleA GetProcAddress 88210->88212 88213 41cc49 44 API calls 88211->88213 88214 41cc39 LoadLibraryA GetProcAddress 88211->88214 88212->88211 88213->87924 88214->88213 88510 41b539 FindResourceA 88215->88510 88219 40f428 ctype 88520 4020b7 88219->88520 88222 401fe2 29 API calls 88223 40f44e 88222->88223 88224 401fd8 11 API calls 88223->88224 88225 40f457 88224->88225 88226 43bda0 ___std_exception_copy 21 API calls 88225->88226 88227 40f468 ctype 88226->88227 88526 406e13 88227->88526 88229 40f49b 88229->87926 88231 40210c 88230->88231 88232 4023ce 11 API calls 88231->88232 88233 402126 88232->88233 88234 402569 29 API calls 88233->88234 88235 402134 88234->88235 88235->87929 88605 4020df 88236->88605 88238 41bebf 88241 41bf31 88238->88241 88250 401fe2 29 API calls 88238->88250 88253 401fd8 11 API calls 88238->88253 88257 41bf2f 88238->88257 88609 4041a2 29 API calls 88238->88609 88610 41cec5 88238->88610 88239 401fd8 11 API calls 88240 41bf61 88239->88240 88242 401fd8 11 API calls 88240->88242 88621 4041a2 29 API calls 88241->88621 88245 41bf69 88242->88245 88247 401fd8 11 API calls 88245->88247 88246 41bf3d 88249 401fe2 29 API calls 88246->88249 88248 40ea5f 88247->88248 88258 40fb52 88248->88258 88251 41bf46 88249->88251 88250->88238 88252 401fd8 11 API calls 88251->88252 88254 41bf4e 88252->88254 88253->88238 88255 41cec5 29 API calls 88254->88255 88255->88257 88257->88239 88259 40fb5e 88258->88259 88261 40fb65 88258->88261 88636 402163 11 API calls 88259->88636 88261->87934 88263 402163 88262->88263 88267 40219f 88263->88267 88637 402730 11 API calls 88263->88637 88265 402184 88638 402712 11 API calls std::_Deallocate 88265->88638 88267->87936 88269 401e6d 88268->88269 88270 401e75 88269->88270 88639 402158 22 API calls 88269->88639 88270->87942 88274 4020df 11 API calls 88273->88274 88275 40532a 88274->88275 88640 4032a0 88275->88640 88277 405346 88277->87949 88644 4051ef 88278->88644 88280 406391 88648 402055 88280->88648 88283 401fe2 88284 401ff1 88283->88284 88291 402039 88283->88291 88285 4023ce 11 API calls 88284->88285 88286 401ffa 88285->88286 88287 40203c 88286->88287 88289 402015 88286->88289 88288 40267a 11 API calls 88287->88288 88288->88291 88662 403098 29 API calls 88289->88662 88292 401fd8 88291->88292 88293 4023ce 11 API calls 88292->88293 88294 401fe1 88293->88294 88294->87961 88296 401fd2 88295->88296 88297 401fc9 88295->88297 88296->87967 88663 4025e0 29 API calls 88297->88663 88664 401fab 88299->88664 88301 40d0ae CreateMutexA GetLastError 88301->87983 88665 41c048 88302->88665 88307 401fe2 29 API calls 88308 41b390 88307->88308 88309 401fd8 11 API calls 88308->88309 88310 41b398 88309->88310 88311 4135e1 32 API calls 88310->88311 88313 41b3ee 88310->88313 88312 41b3c1 88311->88312 88314 41b3cc StrToIntA 88312->88314 88313->87990 88315 41b3e3 88314->88315 88316 41b3da 88314->88316 88318 401fd8 11 API calls 88315->88318 88674 41cffa 22 API calls 88316->88674 88318->88313 88320 407765 88319->88320 88321 413584 3 API calls 88320->88321 88322 40776c 88321->88322 88322->88000 88322->88001 88323->88018 88324->88024 88675 402252 88325->88675 88327 401f12 88327->88029 88329 40ce47 _wcslen 88328->88329 88330 40ce51 88329->88330 88331 40ce9b 88329->88331 88333 40ce5a CreateDirectoryW 88330->88333 88332 40da6f 32 API calls 88331->88332 88334 40cead 88332->88334 88707 409196 28 API calls 88333->88707 88714 401f13 28 API calls 88334->88714 88337 40ce76 88708 403014 88337->88708 88338 40cebb 88340 401f09 11 API calls 88338->88340 88344 40cec4 88340->88344 88343 40ce90 88345 401f09 11 API calls 88343->88345 88347 40cefa 88344->88347 88348 40cedd 88344->88348 88346 40ce99 88345->88346 88346->88338 88349 40cf03 CopyFileW 88347->88349 88350 40cd48 31 API calls 88348->88350 88351 40cfd4 88349->88351 88352 40cf15 _wcslen 88349->88352 88384 40ceee 88350->88384 88680 40cd48 88351->88680 88352->88351 88354 40cf31 88352->88354 88355 40cf84 88352->88355 88358 40da6f 32 API calls 88354->88358 88357 40da6f 32 API calls 88355->88357 88361 40cf8a 88357->88361 88362 40cf37 88358->88362 88359 40d01a 88363 40d062 CloseHandle 88359->88363 88720 40417e 88359->88720 88360 40cfee 88366 40cff7 SetFileAttributesW 88360->88366 88718 401f13 28 API calls 88361->88718 88715 401f13 28 API calls 88362->88715 88706 401f04 88363->88706 88383 40d006 _wcslen 88366->88383 88370 40cf7e 88378 401f09 11 API calls 88370->88378 88371 40cf43 88374 401f09 11 API calls 88371->88374 88372 40d07e ShellExecuteW 88375 40d091 88372->88375 88376 40d09b ExitProcess 88372->88376 88379 40cf4c 88374->88379 88380 40d0a4 CreateMutexA GetLastError 88375->88380 88377 40d043 88727 41384f RegCreateKeyW 88377->88727 88381 40cf9c 88378->88381 88716 409196 28 API calls 88379->88716 88380->88384 88388 40cfa8 CreateDirectoryW 88381->88388 88383->88359 88386 40d017 SetFileAttributesW 88383->88386 88384->88073 88385 40cf60 88389 403014 28 API calls 88385->88389 88386->88359 88719 401f04 88388->88719 88392 40cf6c 88389->88392 88717 401f13 28 API calls 88392->88717 88393 401f09 11 API calls 88393->88363 88397 40cf75 88398 401f09 11 API calls 88397->88398 88398->88370 88399->87941 88400->87950 88401->87954 88403->87975 88405 40ebdf 88404->88405 88406 4135ae RegQueryValueExA RegCloseKey 88404->88406 88405->87972 88405->87989 88406->88405 88407->87979 88408->88008 88409->88000 88410->87993 88411->88007 88413 401f86 11 API calls 88412->88413 88414 40da8b 88413->88414 88415 40dae0 88414->88415 88416 40daab 88414->88416 88421 40daa1 88414->88421 88417 41c048 2 API calls 88415->88417 88790 41b645 29 API calls 88416->88790 88420 40dae5 88417->88420 88419 40dbd4 GetLongPathNameW 88423 40417e 28 API calls 88419->88423 88425 40dae9 88420->88425 88426 40db3b 88420->88426 88421->88419 88422 40dab4 88791 401f13 28 API calls 88422->88791 88424 40dbe9 88423->88424 88428 40417e 28 API calls 88424->88428 88430 40417e 28 API calls 88425->88430 88429 40417e 28 API calls 88426->88429 88431 40dbf8 88428->88431 88433 40db49 88429->88433 88432 40daf7 88430->88432 88796 40de0c 28 API calls 88431->88796 88439 40417e 28 API calls 88432->88439 88438 40417e 28 API calls 88433->88438 88435 401f09 11 API calls 88435->88421 88436 40dc0b 88797 402fa5 28 API calls 88436->88797 88442 40db5f 88438->88442 88441 40db0d 88439->88441 88440 40dc16 88798 402fa5 28 API calls 88440->88798 88792 402fa5 28 API calls 88441->88792 88794 402fa5 28 API calls 88442->88794 88446 40dc20 88449 401f09 11 API calls 88446->88449 88447 40db18 88793 401f13 28 API calls 88447->88793 88448 40db6a 88795 401f13 28 API calls 88448->88795 88452 40dc2a 88449->88452 88455 401f09 11 API calls 88452->88455 88453 40db23 88457 401f09 11 API calls 88453->88457 88454 40db75 88456 401f09 11 API calls 88454->88456 88458 40dc33 88455->88458 88460 40db7e 88456->88460 88459 40db2c 88457->88459 88462 401f09 11 API calls 88458->88462 88461 401f09 11 API calls 88459->88461 88463 401f09 11 API calls 88460->88463 88464 40dabe 88461->88464 88465 40dc3c 88462->88465 88463->88464 88464->88435 88466 401f09 11 API calls 88465->88466 88467 40dc45 88466->88467 88468 401f09 11 API calls 88467->88468 88469 40dc4e 88468->88469 88470 401f13 28 API calls 88469->88470 88470->88067 88471->88078 88472->88093 88473->88097 88474->88059 88476 40209b 88475->88476 88477 4023ce 11 API calls 88476->88477 88478 4020a6 88477->88478 88799 4024ed 88478->88799 88481->88077 88482->88083 88483->88091 88484->88100 88485->88108 88486->88119 88491 434563 88487->88491 88488 43bda0 ___std_exception_copy 21 API calls 88488->88491 88489 40f10c 88489->88126 88491->88488 88491->88489 88803 443001 7 API calls 2 library calls 88491->88803 88804 434c99 KiUserExceptionDispatcher Concurrency::cancel_current_task __CxxThrowException@8 88491->88804 88805 4352fb KiUserExceptionDispatcher Concurrency::cancel_current_task __CxxThrowException@8 88491->88805 88494->88153 88495->88159 88496->88168 88497->88142 88498->88148 88499->88151 88501->88175 88502->88180 88503->88185 88504->87999 88506->88013 88507->88020 88508->88033 88806 41ada8 106 API calls 88509->88806 88511 41b556 LoadResource LockResource SizeofResource 88510->88511 88512 40f419 88510->88512 88511->88512 88513 43bda0 88512->88513 88518 4461b8 __Getctype 88513->88518 88514 4461f6 88530 44062d 20 API calls _free 88514->88530 88516 4461e1 RtlAllocateHeap 88517 4461f4 88516->88517 88516->88518 88517->88219 88518->88514 88518->88516 88529 443001 7 API calls 2 library calls 88518->88529 88521 4020bf 88520->88521 88531 4023ce 88521->88531 88523 4020ca 88535 40250a 88523->88535 88525 4020d9 88525->88222 88527 4020b7 29 API calls 88526->88527 88528 406e27 88527->88528 88528->88229 88529->88518 88530->88517 88532 402428 88531->88532 88533 4023d8 88531->88533 88532->88523 88533->88532 88542 4027a7 11 API calls std::_Deallocate 88533->88542 88536 40251a 88535->88536 88537 402520 88536->88537 88538 402535 88536->88538 88543 402569 88537->88543 88553 4028e8 88538->88553 88541 402533 88541->88525 88542->88532 88564 402888 88543->88564 88545 40257d 88546 402592 88545->88546 88547 4025a7 88545->88547 88569 402a34 22 API calls 88546->88569 88549 4028e8 29 API calls 88547->88549 88552 4025a5 88549->88552 88550 40259b 88570 4029da 22 API calls 88550->88570 88552->88541 88554 4028f1 88553->88554 88555 402953 88554->88555 88557 4028fb 88554->88557 88581 4028a4 88555->88581 88559 402904 88557->88559 88561 402917 88557->88561 88572 402cae 88559->88572 88562 402915 88561->88562 88563 4023ce 11 API calls 88561->88563 88562->88541 88563->88562 88565 402890 88564->88565 88566 402898 88565->88566 88571 402ca3 22 API calls 88565->88571 88566->88545 88569->88550 88570->88552 88573 402cb8 __EH_prolog 88572->88573 88584 402e54 22 API calls 88573->88584 88575 402d24 88577 402d6c 88575->88577 88576 4023ce 11 API calls 88578 402d92 88576->88578 88577->88576 88579 402da3 HeapCreate 88578->88579 88580 402db3 88579->88580 88580->88562 88585 435318 88581->88585 88583 4028ae 88584->88575 88590 435256 88585->88590 88589 435337 88596 40de71 88590->88596 88593 4391a6 88595 4391c6 88593->88595 88594 4391f8 KiUserExceptionDispatcher 88594->88589 88595->88594 88599 43889d 88596->88599 88598 40de9d 88598->88593 88600 4388d7 88599->88600 88601 4388aa 88599->88601 88600->88598 88601->88600 88602 43bda0 ___std_exception_copy 21 API calls 88601->88602 88603 4388c7 88602->88603 88603->88600 88604 441a8e ___std_exception_copy 20 API calls 88603->88604 88604->88600 88606 4020e7 88605->88606 88607 4023ce 11 API calls 88606->88607 88608 4020f2 88607->88608 88608->88238 88609->88238 88611 41ced2 88610->88611 88612 41cf31 88611->88612 88616 41cee2 88611->88616 88613 41cf4b 88612->88613 88627 41d071 28 API calls 88612->88627 88615 41d1d7 29 API calls 88613->88615 88618 41cf2d 88615->88618 88617 41cf1a 88616->88617 88622 41d071 28 API calls 88616->88622 88623 41d1d7 88617->88623 88618->88238 88621->88246 88622->88617 88624 41d1e0 88623->88624 88628 41d283 88624->88628 88627->88613 88629 41d28c 88628->88629 88632 41d331 88629->88632 88634 41d33c 88632->88634 88633 41d1ea 88633->88618 88634->88633 88635 4020f6 29 API calls 88634->88635 88635->88633 88636->88261 88637->88265 88638->88267 88642 4032aa 88640->88642 88641 4032c9 88641->88277 88642->88641 88643 4028e8 29 API calls 88642->88643 88643->88641 88645 4051fb 88644->88645 88654 405274 88645->88654 88647 405208 88647->88280 88649 402061 88648->88649 88650 4023ce 11 API calls 88649->88650 88651 40207b 88650->88651 88658 40267a 88651->88658 88655 405282 88654->88655 88656 4028a4 22 API calls 88655->88656 88657 4052fc 88656->88657 88659 40268b 88658->88659 88660 4023ce 11 API calls 88659->88660 88661 40208d 88660->88661 88661->88283 88662->88291 88663->88296 88666 41b362 88665->88666 88667 41c055 GetCurrentProcess IsWow64Process 88665->88667 88669 4135e1 RegOpenKeyExA 88666->88669 88667->88666 88668 41c06c 88667->88668 88668->88666 88670 41360f RegQueryValueExA RegCloseKey 88669->88670 88671 413639 88669->88671 88670->88671 88672 402093 29 API calls 88671->88672 88673 41364e 88672->88673 88673->88307 88674->88315 88676 4022ac 88675->88676 88677 40225c 88675->88677 88676->88327 88677->88676 88679 402779 11 API calls std::_Deallocate 88677->88679 88679->88676 88681 40cd6e 88680->88681 88682 40cdaa 88680->88682 88733 40b9b7 88681->88733 88684 40b9b7 28 API calls 88682->88684 88685 40cdeb 88682->88685 88688 40cdc1 88684->88688 88686 40ce2c 88685->88686 88689 40b9b7 28 API calls 88685->88689 88686->88359 88686->88360 88691 403014 28 API calls 88688->88691 88692 40ce02 88689->88692 88690 403014 28 API calls 88693 40cd8a 88690->88693 88694 40cdcb 88691->88694 88695 403014 28 API calls 88692->88695 88696 41384f 14 API calls 88693->88696 88697 41384f 14 API calls 88694->88697 88698 40ce0c 88695->88698 88699 40cd9e 88696->88699 88700 40cddf 88697->88700 88701 41384f 14 API calls 88698->88701 88702 401f09 11 API calls 88699->88702 88704 401f09 11 API calls 88700->88704 88703 40ce20 88701->88703 88702->88682 88705 401f09 11 API calls 88703->88705 88704->88685 88705->88686 88707->88337 88763 403222 88708->88763 88710 403022 88767 403262 88710->88767 88713 401f13 28 API calls 88713->88343 88714->88338 88715->88371 88716->88385 88717->88397 88718->88370 88721 404186 88720->88721 88722 402252 11 API calls 88721->88722 88723 404191 88722->88723 88789 4041bc 28 API calls 88723->88789 88725 40419c 88726 41bcef 28 API calls 88725->88726 88726->88377 88728 4138a1 88727->88728 88730 413864 88727->88730 88729 401f09 11 API calls 88728->88729 88731 40d056 88729->88731 88732 41387d RegSetValueExW RegCloseKey 88730->88732 88731->88393 88732->88728 88740 401f86 88733->88740 88735 40b9c3 88744 40314c 88735->88744 88737 40b9df 88748 40325d 88737->88748 88741 401f8e 88740->88741 88742 402252 11 API calls 88741->88742 88743 401f99 88742->88743 88743->88735 88745 403156 88744->88745 88747 403175 88745->88747 88752 4027e6 28 API calls 88745->88752 88747->88737 88749 40323f 88748->88749 88753 4036a6 88749->88753 88751 40324c 88751->88690 88752->88747 88754 402888 22 API calls 88753->88754 88755 4036b9 88754->88755 88756 40372c 88755->88756 88757 4036de 88755->88757 88758 4028a4 22 API calls 88756->88758 88761 4036f0 88757->88761 88762 4027e6 28 API calls 88757->88762 88759 403733 88758->88759 88761->88751 88762->88761 88764 40322e 88763->88764 88773 403618 88764->88773 88766 40323b 88766->88710 88768 40326e 88767->88768 88769 402252 11 API calls 88768->88769 88770 403288 88769->88770 88785 402336 88770->88785 88774 403626 88773->88774 88775 403644 88774->88775 88776 40362c 88774->88776 88778 40365c 88775->88778 88779 40369e 88775->88779 88777 4036a6 28 API calls 88776->88777 88783 403642 88777->88783 88778->88783 88784 4027e6 28 API calls 88778->88784 88780 4028a4 22 API calls 88779->88780 88781 4036a5 88780->88781 88783->88766 88784->88783 88786 402347 88785->88786 88787 402252 11 API calls 88786->88787 88788 4023c7 88787->88788 88788->88713 88789->88725 88790->88422 88791->88464 88792->88447 88793->88453 88794->88448 88795->88454 88796->88436 88797->88440 88798->88446 88800 4024f9 88799->88800 88801 40250a 29 API calls 88800->88801 88802 4020b1 88801->88802 88802->88070 88803->88491 88814 412829 62 API calls 88807->88814 88815 43bea8 88816 43beb4 _swprintf ___DestructExceptionObject 88815->88816 88817 43bec2 88816->88817 88819 43beec 88816->88819 88831 44062d 20 API calls _free 88817->88831 88826 445909 RtlEnterCriticalSection 88819->88826 88821 43bef7 88827 43bf98 88821->88827 88822 43bec7 ___DestructExceptionObject __cftoe 88826->88821 88829 43bfa6 88827->88829 88828 43bf02 88832 43bf1f RtlLeaveCriticalSection std::_Lockit::~_Lockit 88828->88832 88829->88828 88833 4497ec 36 API calls 2 library calls 88829->88833 88831->88822 88832->88822 88833->88829 88834 93d77e 88835 93d78d 88834->88835 88838 93df1e 88835->88838 88844 93df39 88838->88844 88839 93df42 CreateToolhelp32Snapshot 88840 93df5e Module32First 88839->88840 88839->88844 88841 93d796 88840->88841 88842 93df6d 88840->88842 88845 93dbdd 88842->88845 88844->88839 88844->88840 88846 93dc08 88845->88846 88847 93dc19 VirtualAlloc 88846->88847 88848 93dc51 88846->88848 88847->88848 88849 40165e 88850 401666 88849->88850 88851 401669 88849->88851 88852 4016a8 88851->88852 88854 401696 88851->88854 88853 43455e new 22 API calls 88852->88853 88855 40169c 88853->88855 88856 43455e new 22 API calls 88854->88856 88856->88855

                  Executed Functions

                  Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad$HandleModule
                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                  • API String ID: 4236061018-3687161714
                  • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                  • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                  • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                  • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                  Function 0040EA00 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 101 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->101 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 99 40ec27-40ec3d call 401fab call 4139e4 79->99 89 40ec47-40ec49 80->89 90 40ec4e-40ec55 80->90 93 40ef2c 89->93 94 40ec57 90->94 95 40ec59-40ec65 call 41b354 90->95 93->49 94->95 105 40ec67-40ec69 95->105 106 40ec6e-40ec72 95->106 99->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 101->126 105->106 108 40ecb1-40ecc4 call 401e65 call 401fab 106->108 109 40ec74 call 407751 106->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 142 40ec9c-40eca2 120->142 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 142->108 145 40eca4-40ecaa 142->145 145->108 146 40ecac call 40729b 145->146 146->108 177->178 204 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->204 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee40 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 191 40ee59-40ee7d call 40247c call 434829 183->191 271 40ee45-40ee48 184->271 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 204->178 218 40ee8e-40ef03 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 call 434832 call 401e65 call 40b9f8 212->218 213->218 218->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 218->286 287 40f017-40f019 236->287 288 40effc 236->288 271->191 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 367 40f207-40f21a call 401e65 call 401fab 357->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 402 40f27b 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 404 40f293-40f29d CreateThread 403->404 405 40f29f-40f2a6 403->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f322 call 401fab call 41353a 413->416 415->418 416->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 416->427 418->416 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                  APIs
                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\documents-pdf.exe,00000104), ref: 0040EA29
                    • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                  • String ID: 8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\documents-pdf.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-AYRCHN$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                  • API String ID: 2830904901-3178830685
                  • Opcode ID: 6d2666af1692ae8cddda2c07660e2d7727387c2d3a9dfbe455eb3a779be539f1
                  • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                  • Opcode Fuzzy Hash: 6d2666af1692ae8cddda2c07660e2d7727387c2d3a9dfbe455eb3a779be539f1
                  • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                  Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • _wcslen.LIBCMT ref: 0040CE42
                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\documents-pdf.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                  • _wcslen.LIBCMT ref: 0040CF21
                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\documents-pdf.exe,00000000,00000000), ref: 0040CFBF
                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                  • _wcslen.LIBCMT ref: 0040D001
                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                  • ExitProcess.KERNEL32 ref: 0040D09D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                  • String ID: 6$C:\Users\user\Desktop\documents-pdf.exe$del$open
                  • API String ID: 1579085052-416382201
                  • Opcode ID: 15a0a4552cc61959ad72e4f5590c635c58165fc4f07b2b8d2eaf7d3335a4460a
                  • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                  • Opcode Fuzzy Hash: 15a0a4552cc61959ad72e4f5590c635c58165fc4f07b2b8d2eaf7d3335a4460a
                  • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                  Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: LongNamePath
                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                  • API String ID: 82841172-425784914
                  • Opcode ID: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                  • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                  • Opcode Fuzzy Hash: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                  • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                  Function 0085003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 629 85003c-850047 630 85004c-850263 call 850a3f call 850e0f call 850d90 VirtualAlloc 629->630 631 850049 629->631 646 850265-850289 call 850a69 630->646 647 85028b-850292 630->647 631->630 652 8502ce-8503c2 VirtualProtect call 850cce call 850ce7 646->652 649 8502a1-8502b0 647->649 651 8502b2-8502cc 649->651 649->652 651->649 658 8503d1-8503e0 652->658 659 8503e2-850437 call 850ce7 658->659 660 850439-8504b8 VirtualFree 658->660 659->658 662 8505f4-8505fe 660->662 663 8504be-8504cd 660->663 666 850604-85060d 662->666 667 85077f-850789 662->667 665 8504d3-8504dd 663->665 665->662 671 8504e3-850505 LoadLibraryA 665->671 666->667 672 850613-850637 666->672 669 8507a6-8507b0 667->669 670 85078b-8507a3 667->670 673 8507b6-8507cb 669->673 674 85086e-8508be LoadLibraryA 669->674 670->669 675 850517-850520 671->675 676 850507-850515 671->676 677 85063e-850648 672->677 678 8507d2-8507d5 673->678 681 8508c7-8508f9 674->681 679 850526-850547 675->679 676->679 677->667 680 85064e-85065a 677->680 682 850824-850833 678->682 683 8507d7-8507e0 678->683 684 85054d-850550 679->684 680->667 685 850660-85066a 680->685 686 850902-85091d 681->686 687 8508fb-850901 681->687 693 850839-85083c 682->693 688 8507e4-850822 683->688 689 8507e2 683->689 690 850556-85056b 684->690 691 8505e0-8505ef 684->691 692 85067a-850689 685->692 687->686 688->678 689->682 694 85056d 690->694 695 85056f-85057a 690->695 691->665 696 850750-85077a 692->696 697 85068f-8506b2 692->697 693->674 698 85083e-850847 693->698 694->691 704 85057c-850599 695->704 705 85059b-8505bb 695->705 696->677 699 8506b4-8506ed 697->699 700 8506ef-8506fc 697->700 701 850849 698->701 702 85084b-85086c 698->702 699->700 706 8506fe-850748 700->706 707 85074b 700->707 701->674 702->693 712 8505bd-8505db 704->712 705->712 706->707 707->692 712->684
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0085024D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocVirtual
                  • String ID: cess$kernel32.dll
                  • API String ID: 4275171209-1230238691
                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                  • Instruction ID: 9ffaffdf63b24cf2c4954eb85ab18bbc56d13ae023dc0953f1fb4bac2391a998
                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                  • Instruction Fuzzy Hash: 76527974A01229DFDB64CF58C985BA8BBB1BF09305F1480D9E94DAB351DB30AE89DF14
                  Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                  • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                  • API String ID: 782494840-2070987746
                  • Opcode ID: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                  • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                  • Opcode Fuzzy Hash: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                  • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                  Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 740 41384f-413862 RegCreateKeyW 741 4138a1 740->741 742 413864-41389f call 40247c call 401f04 RegSetValueExW RegCloseKey 740->742 744 4138a3-4138b1 call 401f09 741->744 742->744
                  APIs
                  • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                  • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,759237E0,?), ref: 00413888
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,759237E0,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                  • API String ID: 1818849710-1051519024
                  • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                  • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                  • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                  • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                  Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 750 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                  APIs
                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                  • GetLastError.KERNEL32 ref: 0040D0BE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateErrorLastMutex
                  • String ID: Rmc-AYRCHN
                  • API String ID: 1925916568-1213370029
                  • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                  • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                  • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                  • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                  Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 753 4135e1-41360d RegOpenKeyExA 754 413642 753->754 755 41360f-413637 RegQueryValueExA RegCloseKey 753->755 756 413644 754->756 755->756 757 413639-413640 755->757 758 413649-413655 call 402093 756->758 757->758
                  APIs
                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                  • RegCloseKey.KERNEL32(?), ref: 0041362D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID:
                  • API String ID: 3677997916-0
                  • Opcode ID: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                  • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                  • Opcode Fuzzy Hash: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                  • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                  Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 761 413584-4135ac RegOpenKeyExA 762 4135db 761->762 763 4135ae-4135d9 RegQueryValueExA RegCloseKey 761->763 764 4135dd-4135e0 762->764 763->764
                  APIs
                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                  • RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID:
                  • API String ID: 3677997916-0
                  • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                  • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                  • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                  • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                  Function 0093DF1E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 765 93df1e-93df37 766 93df39-93df3b 765->766 767 93df42-93df4e CreateToolhelp32Snapshot 766->767 768 93df3d 766->768 769 93df50-93df56 767->769 770 93df5e-93df6b Module32First 767->770 768->767 769->770 777 93df58-93df5c 769->777 771 93df74-93df7c 770->771 772 93df6d-93df6e call 93dbdd 770->772 775 93df73 772->775 775->771 777->766 777->770
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0093DF46
                  • Module32First.KERNEL32(00000000,00000224), ref: 0093DF66
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128363256.000000000093D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_93d000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateFirstModule32SnapshotToolhelp32
                  • String ID:
                  • API String ID: 3833638111-0
                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                  • Instruction ID: b1586bd0321e17665e04f0e70b09852a0baf9071e96dea2c9f7807d3241f7e54
                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                  • Instruction Fuzzy Hash: 3EF096321117157BD7203BF5B8DDBAEB6ECAF49764F100529E647914C0DB70EC458E61
                  Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 778 40165e-401664 779 401666-401668 778->779 780 401669-401674 778->780 781 401676 780->781 782 40167b-401685 780->782 781->782 783 401687-40168d 782->783 784 4016a8-4016a9 call 43455e 782->784 783->784 785 40168f-401694 783->785 788 4016ae-4016af 784->788 785->781 787 401696-4016a6 call 43455e 785->787 790 4016b1-4016b3 787->790 788->790
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                  • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                  • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                  • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                  Function 00850E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 792 850e0f-850e24 SetErrorMode * 2 793 850e26 792->793 794 850e2b-850e2c 792->794 793->794
                  APIs
                  • SetErrorMode.KERNEL32(00000400,?,?,00850223,?,?), ref: 00850E19
                  • SetErrorMode.KERNEL32(00000000,?,?,00850223,?,?), ref: 00850E1E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorMode
                  • String ID:
                  • API String ID: 2340568224-0
                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                  • Instruction ID: 8c0978d29aaa8d1e2b7b9d12da5bb918dd92a12b0de968aff13129d8cf45e905
                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                  • Instruction Fuzzy Hash: C9D0123114512877DB002A94DC09BCD7B1CDF05B63F108411FB0DD9080C770994046E5
                  Function 00435318 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 795 435318-435337 call 435256 call 4391a6
                  APIs
                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00435324
                    • Part of subcall function 00435256: std::exception::exception.LIBCONCRT ref: 00435263
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00435332
                    • Part of subcall function 004391A6: KiUserExceptionDispatcher.NTDLL(?,?,WSC,?,00476B50,00474D58,00000000,?,?,?,?,00435357,?,0046E518,?), ref: 00439205
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: DispatcherExceptionException@8ThrowUserstd::exception::exceptionstd::invalid_argument::invalid_argument
                  • String ID:
                  • API String ID: 3444566077-0
                  • Opcode ID: c1f355d76cbf261de27ab7331513026638421a1bccd6dd9868bc1c4aaeffe90e
                  • Instruction ID: bea129a3fa9c90340cfce9695bf35535791edddc481a551831ae993a6ef9e815
                  • Opcode Fuzzy Hash: c1f355d76cbf261de27ab7331513026638421a1bccd6dd9868bc1c4aaeffe90e
                  • Instruction Fuzzy Hash: 78C08034C0010C77CF00FAF2D806D8D777C5D08340F404566761051041EBB8A7048AC9
                  Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                  • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                  • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                  • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                  Function 0093DBDD Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0093DC2E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128363256.000000000093D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_93d000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                  • Instruction ID: e7644005563ad1c8d06058c0a3b1fc33c3716ceb58df303da0036c02f281038c
                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                  • Instruction Fuzzy Hash: 42112B79A00208EFDB01DF98C985E98BBF5AF08351F198094F9889B362D371EA50DF80

                  Non-executed Functions

                  Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(?,?), ref: 00407CF4
                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                  • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                    • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                    • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                    • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                  • DeleteFileA.KERNEL32(?), ref: 0040868D
                    • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                    • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                    • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                    • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                  • Sleep.KERNEL32(000007D0), ref: 00408733
                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                    • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                  • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                  • API String ID: 1067849700-181434739
                  • Opcode ID: 57ee52f4051f893099c01d97bf459cfc6dbd299d91290913b88445ae7f43a42d
                  • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                  • Opcode Fuzzy Hash: 57ee52f4051f893099c01d97bf459cfc6dbd299d91290913b88445ae7f43a42d
                  • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                  Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 004056E6
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  • __Init_thread_footer.LIBCMT ref: 00405723
                  • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                  • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                  • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                  • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                  • CloseHandle.KERNEL32 ref: 00405A23
                  • CloseHandle.KERNEL32 ref: 00405A2B
                  • CloseHandle.KERNEL32 ref: 00405A3D
                  • CloseHandle.KERNEL32 ref: 00405A45
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                  • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                  • API String ID: 2994406822-18413064
                  • Opcode ID: d223d24c6fe98cdb97ef3eaa950505dfb771a3582b87fb4520f0d7c1eb945dad
                  • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                  • Opcode Fuzzy Hash: d223d24c6fe98cdb97ef3eaa950505dfb771a3582b87fb4520f0d7c1eb945dad
                  • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                  Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcessId.KERNEL32 ref: 00412141
                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                    • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                  • CloseHandle.KERNEL32(00000000), ref: 00412190
                  • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                  • API String ID: 3018269243-13974260
                  • Opcode ID: be382ae3246a84b07804265bcb915cb84d61a731cde31d212bac553ac141f8d6
                  • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                  • Opcode Fuzzy Hash: be382ae3246a84b07804265bcb915cb84d61a731cde31d212bac553ac141f8d6
                  • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                  Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                  • FindClose.KERNEL32(00000000), ref: 0040BC04
                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                  • FindClose.KERNEL32(00000000), ref: 0040BD4D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$CloseFile$FirstNext
                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                  • API String ID: 1164774033-3681987949
                  • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                  • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                  • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                  • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                  Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • OpenClipboard.USER32 ref: 004168FD
                  • EmptyClipboard.USER32 ref: 0041690B
                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                  • GlobalLock.KERNEL32(00000000), ref: 00416934
                  • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                  • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                  • CloseClipboard.USER32 ref: 00416990
                  • OpenClipboard.USER32 ref: 00416997
                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                  • CloseClipboard.USER32 ref: 004169BF
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                  • String ID: !D@
                  • API String ID: 3520204547-604454484
                  • Opcode ID: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                  • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                  • Opcode Fuzzy Hash: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                  • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                  Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windownativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtdllDefWindowProc_A.USER32(?,00000401,?,?), ref: 0041D66B
                  • GetCursorPos.USER32(?), ref: 0041D67A
                  • SetForegroundWindow.USER32(?), ref: 0041D683
                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                  • Shell_NotifyIcon.SHELL32(00000002,00474B48), ref: 0041D6EE
                  • ExitProcess.KERNEL32 ref: 0041D6F6
                  • CreatePopupMenu.USER32 ref: 0041D6FC
                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                  • String ID: Close
                  • API String ID: 1665278180-3535843008
                  • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                  • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                  • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                  • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                  Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                  • FindClose.KERNEL32(00000000), ref: 0040BE04
                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                  • FindClose.KERNEL32(00000000), ref: 0040BEEA
                  • FindClose.KERNEL32(00000000), ref: 0040BF0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Close$File$FirstNext
                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                  • API String ID: 3527384056-432212279
                  • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                  • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                  • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                  • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                  Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 0041A04A
                  • 73C35D90.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                  • Sleep.KERNEL32(000003E8), ref: 0041A18E
                  • GetLocalTime.KERNEL32(?), ref: 0041A196
                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep$CreateDirectoryH_prologLocalTime
                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                  • API String ID: 3069631530-1431523004
                  • Opcode ID: 30750e6e73f37d6c330a1ac1f5d9b70380b3b050e4f364432e34ce78d6a6d789
                  • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                  • Opcode Fuzzy Hash: 30750e6e73f37d6c330a1ac1f5d9b70380b3b050e4f364432e34ce78d6a6d789
                  • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                  Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                  • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                  • CloseHandle.KERNEL32(00000000), ref: 0041349A
                  • CloseHandle.KERNEL32(?), ref: 004134A0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                  • String ID:
                  • API String ID: 297527592-0
                  • Opcode ID: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                  • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                  • Opcode Fuzzy Hash: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                  • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                  Function 0086D887 Relevance: 18.1, APIs: 12, Instructions: 74windownativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0086D8D2
                  • GetCursorPos.USER32(?), ref: 0086D8E1
                  • SetForegroundWindow.USER32(?), ref: 0086D8EA
                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0086D904
                  • Shell_NotifyIcon.SHELL32(00000002,00474B48), ref: 0086D955
                  • ExitProcess.KERNEL32 ref: 0086D95D
                  • CreatePopupMenu.USER32 ref: 0086D963
                  • AppendMenuA.USER32(00000000,00000000,00000000,0046CF5C), ref: 0086D978
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                  • String ID:
                  • API String ID: 1665278180-0
                  • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                  • Instruction ID: 4efe7b4fc0fbbc9cd56bdade2f0a517bdf8ce6952bd3c3b07296cbea3591452f
                  • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                  • Instruction Fuzzy Hash: F421F571644309FBDB095FA4ED0EAA97F65FB08302F010128FA06D50B2D771ED61EB58
                  Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                  • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                  • API String ID: 3756808967-1743721670
                  • Opcode ID: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                  • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                  • Opcode Fuzzy Hash: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                  • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                  Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0$1$2$3$4$5$6$7$VG
                  • API String ID: 0-1861860590
                  • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                  • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                  • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                  • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                  Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 0040755C
                  • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object_wcslen
                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • API String ID: 240030777-3166923314
                  • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                  • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                  • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                  • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                  Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                  • GetLastError.KERNEL32 ref: 0041A84C
                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                  • String ID:
                  • API String ID: 3587775597-0
                  • Opcode ID: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                  • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                  • Opcode Fuzzy Hash: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                  • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                  Function 0086AA40 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0086AA56
                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0086AAA5
                  • GetLastError.KERNEL32 ref: 0086AAB3
                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0086AAEB
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                  • String ID:
                  • API String ID: 3587775597-0
                  • Opcode ID: a103e76dbcfb3da65abf4833947f0e746439e5ab83e6bce2808fe49156252710
                  • Instruction ID: edda513800235d875de78d66558659de6ca20373303f5eb875d3116d77d97873
                  • Opcode Fuzzy Hash: a103e76dbcfb3da65abf4833947f0e746439e5ab83e6bce2808fe49156252710
                  • Instruction Fuzzy Hash: B1813E71104304ABC705EB24D881DAFB7A8FF95755F50082DF98592192EF74EA4CCBA7
                  Function 00863574 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 008636B9
                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 008636C7
                  • GetFileSize.KERNEL32(?,00000000), ref: 008636D4
                  • UnmapViewOfFile.KERNEL32(00000000), ref: 008636F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$View$CreateMappingSizeUnmap
                  • String ID:
                  • API String ID: 2708475042-0
                  • Opcode ID: 22386a43a60047858d5371973b5e3297a85e3cc3c05708fada6b2de72b5e662f
                  • Instruction ID: bbf08f6a5568dc069d380b2c551396bd91fca2f614dd10b2e5429755b93355d3
                  • Opcode Fuzzy Hash: 22386a43a60047858d5371973b5e3297a85e3cc3c05708fada6b2de72b5e662f
                  • Instruction Fuzzy Hash: E241D171108301BBE710AB29DC4AF2B7AACFF89765F110929F555D61E2EB30DA00DB76
                  Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                  • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                  • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                  • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                  • String ID: JD$JD$JD
                  • API String ID: 745075371-3517165026
                  • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                  • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                  • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                  • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                  Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                  • FindClose.KERNEL32(00000000), ref: 0040C4B8
                  • FindClose.KERNEL32(00000000), ref: 0040C4E3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$CloseFile$FirstNext
                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                  • API String ID: 1164774033-405221262
                  • Opcode ID: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                  • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                  • Opcode Fuzzy Hash: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                  • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                  Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C41F
                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C42C
                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                  • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C44D
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C473
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                  • String ID:
                  • API String ID: 2341273852-0
                  • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                  • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                  • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                  • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                  Function 0086C589 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0086C5E4
                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0086C614
                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000000), ref: 0086C686
                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0086C693
                    • Part of subcall function 0086C589: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0086C669
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0086C6B4
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0086C6CA
                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0086C6D1
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0086C6DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                  • String ID:
                  • API String ID: 2341273852-0
                  • Opcode ID: 3ce5481c26192bdbfdec80ea01d0d7f8eca5c7462b2347321480bf835a106a91
                  • Instruction ID: 8024ed82585090c14dfbcd74e4afb354aaa77eb17d91942215e46621d961f7ec
                  • Opcode Fuzzy Hash: 3ce5481c26192bdbfdec80ea01d0d7f8eca5c7462b2347321480bf835a106a91
                  • Instruction Fuzzy Hash: B131707280421CAADB20EB64DC48AEB77ACFB14315F1405BAF559D2052EF35DA848B69
                  Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Find$CreateFirstNext
                  • String ID: 8SG$PXG$PXG$NG$PG
                  • API String ID: 341183262-3812160132
                  • Opcode ID: caaf20991fb0d4a835dfcc6eb49c48933187ae011853b308f7bae77b98fa7ff1
                  • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                  • Opcode Fuzzy Hash: caaf20991fb0d4a835dfcc6eb49c48933187ae011853b308f7bae77b98fa7ff1
                  • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                  Function 00869DED Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 245fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?), ref: 0086A043
                    • Part of subcall function 0086C77D: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00854396,00465E84), ref: 0086C796
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CreateFindFirst
                  • String ID: 8SG$8eF$PXG$PXG$NG$PG
                  • API String ID: 41799849-432830541
                  • Opcode ID: 5584b3d18adbed3091afe8ba58a2a7bcfc961150b038985754328bafed151b69
                  • Instruction ID: c127c42e7bcfccb89be44edf1ce66aa3101e194ef3f1628e58dc6254a81ee411
                  • Opcode Fuzzy Hash: 5584b3d18adbed3091afe8ba58a2a7bcfc961150b038985754328bafed151b69
                  • Instruction Fuzzy Hash: 598121315486409BC318FB28D852AEFB3A5FFA2351F40492DB956D71E2EF309A4DCA53
                  Function 00858AAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00858AB3
                  • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00858B6C
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00858B94
                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00858BA1
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00858CB7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                  • String ID: xdF$y~E
                  • API String ID: 1771804793-3309775686
                  • Opcode ID: fbec0ca1c6534dac2abf004e93539abf94b6fbf8a08b3c57209892525d8be330
                  • Instruction ID: da70e87db6e48d0382ac33285da6ec9902e1c5dff2bf568e0b149e4254b399cd
                  • Opcode Fuzzy Hash: fbec0ca1c6534dac2abf004e93539abf94b6fbf8a08b3c57209892525d8be330
                  • Instruction Fuzzy Hash: 57515F72900208AACB04FB78DD969ED7778FF51352F50016ABD06E7192EF349B4D8B92
                  Function 00866A5B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 96libraryloadershutdownCOMMON
                  Download Yara Rule
                  APIs
                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00866AF8
                  • LoadLibraryA.KERNEL32(0046C780,0046C770,00000000,00000000,00000000), ref: 00866B0D
                  • GetProcAddress.KERNEL32(00000000), ref: 00866B14
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressExitLibraryLoadProcWindows
                  • String ID: !D@$$aF$(aF$,aF
                  • API String ID: 1366546845-3582022958
                  • Opcode ID: 75a5f7744587ae04ae432d9f49b3193e247e450872959b9b9f64d20b602a3b7a
                  • Instruction ID: 944617bede89d8cfc33695ac5d29115187a0b7b33cdfdc11f88dfe701e1cd4d9
                  • Opcode Fuzzy Hash: 75a5f7744587ae04ae432d9f49b3193e247e450872959b9b9f64d20b602a3b7a
                  • Instruction Fuzzy Hash: C221E662604306A7CB04F7B89866ABE7659FB52312F404C397902E72C3FF658C0DC627
                  Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                  • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                  • GetLastError.KERNEL32 ref: 0040A328
                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                  • TranslateMessage.USER32(?), ref: 0040A385
                  • DispatchMessageA.USER32(?), ref: 0040A390
                  Strings
                  • Keylogger initialization failure: error , xrefs: 0040A33C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                  • String ID: Keylogger initialization failure: error
                  • API String ID: 3219506041-952744263
                  • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                  • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                  • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                  • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                  Function 0085BDD2 Relevance: 12.1, APIs: 8, Instructions: 146fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00466A94), ref: 0085BE51
                  • FindClose.KERNEL32(00000000), ref: 0085BE6B
                  • FindNextFileA.KERNEL32(00000000,?), ref: 0085BF8E
                  • FindClose.KERNEL32(00000000), ref: 0085BFB4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$CloseFile$FirstNext
                  • String ID:
                  • API String ID: 1164774033-0
                  • Opcode ID: 63b5c3d314a4db64527c0e7c5aa918f33f6a2b2645f393baa9aaff12138484f1
                  • Instruction ID: dc87d6ed4d7696c265044c809535de2cc032837ea57394d205d3d6a666ebe611
                  • Opcode Fuzzy Hash: 63b5c3d314a4db64527c0e7c5aa918f33f6a2b2645f393baa9aaff12138484f1
                  • Instruction Fuzzy Hash: DA513F35904119ABDB14FBB8DC56EEEB739FF22302F500169F806E2096FF305A4D8A56
                  Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                  Download Yara Rule
                  APIs
                  • GetForegroundWindow.USER32 ref: 0040A451
                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                  • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                  • GetKeyState.USER32(00000010), ref: 0040A46E
                  • GetKeyboardState.USER32(?), ref: 0040A479
                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                  • String ID:
                  • API String ID: 1888522110-0
                  • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                  • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                  • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                  • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                  Function 004541D9 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: __floor_pentium4
                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$PkGNG
                  • API String ID: 4168288129-3873169313
                  • Opcode ID: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                  • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                  • Opcode Fuzzy Hash: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                  • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                  Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                  • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressCloseCreateLibraryLoadProcsend
                  • String ID: SHDeleteKeyW$Shlwapi.dll
                  • API String ID: 2127411465-314212984
                  • Opcode ID: a6a93bd255a855ccf0855af28b1f56e39ec17b7cd1a2aa56d8f11b261ee1d6f5
                  • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                  • Opcode Fuzzy Hash: a6a93bd255a855ccf0855af28b1f56e39ec17b7cd1a2aa56d8f11b261ee1d6f5
                  • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                  Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00449292
                  • _free.LIBCMT ref: 004492B6
                  • _free.LIBCMT ref: 0044943D
                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                  • _free.LIBCMT ref: 00449609
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                  • String ID:
                  • API String ID: 314583886-0
                  • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                  • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                  • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                  • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                  Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                    • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                    • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                    • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                    • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                  • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                  • String ID: !D@$PowrProf.dll$SetSuspendState
                  • API String ID: 1589313981-2876530381
                  • Opcode ID: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                  • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                  • Opcode Fuzzy Hash: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                  • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                  Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                  Download Yara Rule
                  APIs
                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                  • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                  • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                  Strings
                  • http://geoplugin.net/json.gp, xrefs: 0041B448
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleOpen$FileRead
                  • String ID: http://geoplugin.net/json.gp
                  • API String ID: 3121278467-91888290
                  • Opcode ID: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                  • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                  • Opcode Fuzzy Hash: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                  • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                  Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                  • GetLastError.KERNEL32 ref: 0040BA93
                  Strings
                  • UserProfile, xrefs: 0040BA59
                  • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                  • [Chrome StoredLogins not found], xrefs: 0040BAAD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteErrorFileLast
                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • API String ID: 2018770650-1062637481
                  • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                  • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                  • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                  • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                  Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                  • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                  • GetLastError.KERNEL32 ref: 004179D8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                  • String ID: SeShutdownPrivilege
                  • API String ID: 3534403312-3733053543
                  • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                  • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                  • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                  • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                  Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00409293
                    • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                  • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                  • FindClose.KERNEL32(00000000), ref: 004093FC
                    • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                    • Part of subcall function 00404E26: SetEvent.KERNEL32(00000000), ref: 00404E43
                    • Part of subcall function 00404E26: CloseHandle.KERNEL32(00000000), ref: 00404E4C
                  • FindClose.KERNEL32(00000000), ref: 004095F4
                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                  • String ID:
                  • API String ID: 1824512719-0
                  • Opcode ID: 3ade924ac47625219dbf125d454a2369da9307e37c7e998873117a4f323d940e
                  • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                  • Opcode Fuzzy Hash: 3ade924ac47625219dbf125d454a2369da9307e37c7e998873117a4f323d940e
                  • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                  Function 00446270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: FSE$FSE$PkGNG
                  • API String ID: 0-1266307253
                  • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                  • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                  • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                  • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                  Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ManagerStart
                  • String ID:
                  • API String ID: 276877138-0
                  • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                  • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                  • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                  • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                  Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                    • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                    • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                  • Sleep.KERNEL32(00000BB8), ref: 0040F896
                  • ExitProcess.KERNEL32 ref: 0040F905
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseExitOpenProcessQuerySleepValue
                  • String ID: 5.1.2 Pro$override$pth_unenc
                  • API String ID: 2281282204-3554326054
                  • Opcode ID: 1ed3daa43cea5a2e5783669c753d3b37d94c29cfe39d4015f84ade39b6c46fae
                  • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                  • Opcode Fuzzy Hash: 1ed3daa43cea5a2e5783669c753d3b37d94c29cfe39d4015f84ade39b6c46fae
                  • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                  Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                  • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID: ACP$OCP
                  • API String ID: 2299586839-711371036
                  • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                  • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                  • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                  • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                  Function 008A2723 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,008A2A42,?,00000000), ref: 008A27BC
                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,008A2A42,?,00000000), ref: 008A27E5
                  • GetACP.KERNEL32(?,?,008A2A42,?,00000000), ref: 008A27FA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID: ACP$OCP
                  • API String ID: 2299586839-711371036
                  • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                  • Instruction ID: f4f4aa4b415bbe6df175d0516e669992fac571ce0e43cf7cf42884a04d1a298b
                  • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                  • Instruction Fuzzy Hash: 20217136A04104A7FB348F5CC901A9B73A6FB56B65B568574F90AD7D10E736DE40C350
                  Function 00857ADE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00857AF9
                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00857BC1
                    • Part of subcall function 00854D08: send.WS2_32(?,00000000,00000000,00000000), ref: 00854D9D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFind$FirstNextsend
                  • String ID: 8eF$XPG$XPG
                  • API String ID: 4113138495-4157548504
                  • Opcode ID: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                  • Instruction ID: c779e028f1e6ddf9db8116407ef5d7e4d48e2528cdb8e6413b677cca74134611
                  • Opcode Fuzzy Hash: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                  • Instruction Fuzzy Hash: 192173311082445BC714FB68D896DEFB3A8FF91356F404929BD86D2192FF349A0C8653
                  Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                  • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                  • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                  • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Resource$FindLoadLockSizeof
                  • String ID: SETTINGS
                  • API String ID: 3473537107-594951305
                  • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                  • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                  • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                  • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                  Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 004096A5
                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                  • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstH_prologNext
                  • String ID:
                  • API String ID: 1157919129-0
                  • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                  • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                  • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                  • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                  Function 00859907 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 0085990C
                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00859984
                  • FindNextFileW.KERNEL32(00000000,?), ref: 008599AD
                  • FindClose.KERNEL32(?), ref: 008599C4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstH_prologNext
                  • String ID:
                  • API String ID: 1157919129-0
                  • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                  • Instruction ID: 01afa679e84730671ef5b59856393312c0546c4715d787fae87aff87ac68152a
                  • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                  • Instruction Fuzzy Hash: F7813D32800118DBCB15EBA8DC929EEB778FF55311F14416AE946E71A1EF306B4DCB92
                  Function 008A28F7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008984FC: GetLastError.KERNEL32(?,0088F9D7,0088AADC,0088F9D7,00474EF8,PkGNG,0088D0CC,FF8BC35D,00474EF8,00474EF8), ref: 00898500
                    • Part of subcall function 008984FC: _free.LIBCMT ref: 00898533
                    • Part of subcall function 008984FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00898574
                    • Part of subcall function 008984FC: _abort.LIBCMT ref: 0089857A
                    • Part of subcall function 008984FC: _free.LIBCMT ref: 0089855B
                    • Part of subcall function 008984FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00898568
                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 008A2A03
                  • IsValidCodePage.KERNEL32(00000000), ref: 008A2A5E
                  • IsValidLocale.KERNEL32(?,00000001), ref: 008A2A6D
                  • GetLocaleInfoW.KERNEL32(?,00001001,00894D54,00000040,?,00894E74,00000055,00000000,?,?,00000055,00000000), ref: 008A2AB5
                  • GetLocaleInfoW.KERNEL32(?,00001002,00894DD4,00000040), ref: 008A2AD4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                  • String ID:
                  • API String ID: 745075371-0
                  • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                  • Instruction ID: a218f9dc4126b02937b01d06e3109fdd18083781b498387c3cd91228eb26c058
                  • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                  • Instruction Fuzzy Hash: 04516C7190021AAAEF30EBA8CC41EBA77B8FF0A700F184569E914E7551EB74AD448B61
                  Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 0040884C
                  • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                  • String ID:
                  • API String ID: 1771804793-0
                  • Opcode ID: 843b8ba1ae12666909db2d3cdb5f959f627af5f6bd09d542dbf7623ab931e100
                  • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                  • Opcode Fuzzy Hash: 843b8ba1ae12666909db2d3cdb5f959f627af5f6bd09d542dbf7623ab931e100
                  • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                  Function 0085C5EF Relevance: 7.6, APIs: 5, Instructions: 112fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?,00466C74,00000000), ref: 0085C63D
                  • FindNextFileW.KERNEL32(00000000,?), ref: 0085C710
                  • FindClose.KERNEL32(00000000), ref: 0085C71F
                  • FindClose.KERNEL32(00000000), ref: 0085C74A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$CloseFile$FirstNext
                  • String ID:
                  • API String ID: 1164774033-0
                  • Opcode ID: 9128d6fdf9acd23b2076e297f120df01714350ed85117d2d9f94866c01566eb9
                  • Instruction ID: 7f67824f195cace5575e84ff3e1317e94f2b6936fd92e0e523820db98fa68719
                  • Opcode Fuzzy Hash: 9128d6fdf9acd23b2076e297f120df01714350ed85117d2d9f94866c01566eb9
                  • Instruction Fuzzy Hash: EC318231540219AACB14F778DC9ADEE7778FF51702F10006AF905E2192EF746A8DCE5A
                  Function 00867BF4 Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00867C01
                  • OpenProcessToken.ADVAPI32(00000000), ref: 00867C08
                  • LookupPrivilegeValueA.ADVAPI32(00000000,0046C7D8,?), ref: 00867C1A
                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00867C39
                  • GetLastError.KERNEL32 ref: 00867C3F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                  • String ID:
                  • API String ID: 3534403312-0
                  • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                  • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                  • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                  • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                  Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: DownloadExecuteFileShell
                  • String ID: C:\Users\user\Desktop\documents-pdf.exe$open
                  • API String ID: 2825088817-721087029
                  • Opcode ID: fe10a7ab1edfc7f754063b7e06c2a8e4a1d6a3bde5b0e272a39ec0faa9776782
                  • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                  • Opcode Fuzzy Hash: fe10a7ab1edfc7f754063b7e06c2a8e4a1d6a3bde5b0e272a39ec0faa9776782
                  • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                  Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFind$FirstNextsend
                  • String ID: XPG$XPG
                  • API String ID: 4113138495-1962359302
                  • Opcode ID: 1666b5ea26eba5ae252088eae1e990697565b9238a4226d7a6f56153c61c4302
                  • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                  • Opcode Fuzzy Hash: 1666b5ea26eba5ae252088eae1e990697565b9238a4226d7a6f56153c61c4302
                  • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                  Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                    • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                    • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                    • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateInfoParametersSystemValue
                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                  • API String ID: 4127273184-3576401099
                  • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                  • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                  • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                  • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                  Function 00443355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG,004461B7,00000003), ref: 00443376
                  • TerminateProcess.KERNEL32(00000000), ref: 0044337D
                  • ExitProcess.KERNEL32 ref: 0044338F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID: PkGNG
                  • API String ID: 1703294689-263838557
                  • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                  • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                  • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                  • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                  Function 008935BC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000003,PkGNG,00893592,00000003,0046E958,0000000C,008936E9,00000003,00000002,00000000,PkGNG,0089641E,00000003), ref: 008935DD
                  • TerminateProcess.KERNEL32(00000000), ref: 008935E4
                  • ExitProcess.KERNEL32 ref: 008935F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID: PkGNG
                  • API String ID: 1703294689-263838557
                  • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                  • Instruction ID: e27a0abf6b023e07b51c16a25b6c4a1c4a020f672dc143c19085721266241c13
                  • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                  • Instruction Fuzzy Hash: 19E0B631000208FFCF127F68DD59A483B6AFB54742F094464F90ACA162CB36DE52DB45
                  Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                  • _wcschr.LIBVCRUNTIME ref: 00451ECA
                  • _wcschr.LIBVCRUNTIME ref: 00451ED8
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                  • String ID:
                  • API String ID: 4212172061-0
                  • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                  • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                  • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                  • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                  Function 0085FA49 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008637EB: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 0086380B
                    • Part of subcall function 008637EB: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00863829
                    • Part of subcall function 008637EB: RegCloseKey.ADVAPI32(00000000), ref: 00863834
                  • Sleep.KERNEL32(00000BB8), ref: 0085FAFD
                  • ExitProcess.KERNEL32 ref: 0085FB6C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseExitOpenProcessQuerySleepValue
                  • String ID: pth_unenc
                  • API String ID: 2281282204-4028850238
                  • Opcode ID: 81b0c12af02b44c2973477b5c91f8917c9a4cf5a464a254ec34441252f391ab4
                  • Instruction ID: a1d5257298f2688544bf496f9a8c35bde9ea5b3f08c163882e9fd2728fd91f6c
                  • Opcode Fuzzy Hash: 81b0c12af02b44c2973477b5c91f8917c9a4cf5a464a254ec34441252f391ab4
                  • Instruction Fuzzy Hash: CC214821B4471067C205B6BC4D8BA2F3A9AFB91712F50412CFC0AD72C7FE649E0883A7
                  Function 0086CCDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0086CDCF
                    • Part of subcall function 00863A11: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 00863A20
                    • Part of subcall function 00863A11: RegSetValueExA.ADVAPI32(0046612C,0046CBC8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0086CDA9,0046CBC8,0046612C,00000001,00474EE0,00000000), ref: 00863A48
                    • Part of subcall function 00863A11: RegCloseKey.ADVAPI32(0046612C,?,?,0086CDA9,0046CBC8,0046612C,00000001,00474EE0,00000000,?,008589FF,00000001), ref: 00863A53
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateInfoParametersSystemValue
                  • String ID: ,aF$Control Panel\Desktop
                  • API String ID: 4127273184-2883592193
                  • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                  • Instruction ID: da5ab37bef7830e2fb423a5a0b3017e7a057ae816dd36bd11e4bc7ffe4c8a750
                  • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                  • Instruction Fuzzy Hash: 14116022BC025032D818317D5D57B7D2C06E357F62F92412BFA827A6CAF8875A4513DB
                  Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                  • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID: p'E$JD
                  • API String ID: 1084509184-908320845
                  • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                  • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                  • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                  • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                  Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorInfoLastLocale$_free$_abort
                  • String ID:
                  • API String ID: 2829624132-0
                  • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                  • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                  • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                  • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                  Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID:
                  • API String ID: 3906539128-0
                  • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                  • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                  • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                  • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                  Function 0088BDD8 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32 ref: 0088BED0
                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0088BEDA
                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0088BEE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID:
                  • API String ID: 3906539128-0
                  • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                  • Instruction ID: 860859ff0ff534869f098522fc1636f7a902989c392b36ef0be1e1467ee18ad3
                  • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                  • Instruction Fuzzy Hash: 8231B5759012199BCB21EF68DC8979DB7B8FF08311F5041EAE81CA7261EB309F818F45
                  Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00433550,00000034,?,?,00000000), ref: 004338DA
                  • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?), ref: 004338F0
                  • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?,0041E2E2), ref: 00433902
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Context$AcquireRandomRelease
                  • String ID:
                  • API String ID: 1815803762-0
                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                  • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                  • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                  Function 00883B2F Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,008838B5,00000024,?,?,?), ref: 00883B41
                  • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00883B57
                  • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00883B69
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Context$AcquireRandomRelease
                  • String ID:
                  • API String ID: 1815803762-0
                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                  • Instruction ID: ce4c819578a0f129f67df372a774e4e690930b2ab48d38f006c3bfbdd6d5b4ff
                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                  • Instruction Fuzzy Hash: 52E09A71208350FBEB302F25AC08F573AA4FB81F75F200A39F211E50E4E2628900862C
                  Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                  Download Yara Rule
                  APIs
                  • OpenClipboard.USER32(00000000), ref: 0040B74C
                  • GetClipboardData.USER32(0000000D), ref: 0040B758
                  • CloseClipboard.USER32 ref: 0040B760
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Clipboard$CloseDataOpen
                  • String ID:
                  • API String ID: 2058664381-0
                  • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                  • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                  • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                  • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                  Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                  • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                  • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpenResume
                  • String ID:
                  • API String ID: 3614150671-0
                  • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                  • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                  • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                  • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                  Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                  • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                  • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpenSuspend
                  • String ID:
                  • API String ID: 1999457699-0
                  • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                  • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                  • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                  • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                  Function 0086BE01 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,008662A1,00000000), ref: 0086BE0C
                  • NtSuspendProcess.NTDLL(00000000), ref: 0086BE19
                  • CloseHandle.KERNEL32(00000000,?,?,008662A1,00000000), ref: 0086BE22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpenSuspend
                  • String ID:
                  • API String ID: 1999457699-0
                  • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                  • Instruction ID: dec29be018b928111ec9198d77b891b5d066d8be68be5008f6843a6043bf003b
                  • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                  • Instruction Fuzzy Hash: 56D05E37200121E3C32017AA7C0CDA7AD68EFC5AA27064129F904C21509A30CC0186A4
                  Function 0086BE2D Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,008662C6,00000000), ref: 0086BE38
                  • NtResumeProcess.NTDLL(00000000), ref: 0086BE45
                  • CloseHandle.KERNEL32(00000000,?,?,008662C6,00000000), ref: 0086BE4E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpenResume
                  • String ID:
                  • API String ID: 3614150671-0
                  • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                  • Instruction ID: f53e1c691f4563b7070e5de64cbf3a8848a9f17cfdbb09c5023bf0bdbb8ea028
                  • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                  • Instruction Fuzzy Hash: 5FD09E37504221E7C621176A7C0C997AE69EBC5EA2706452AF905D21659A61CC4186A4
                  Function 0085092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .$GetProcAddress.$l
                  • API String ID: 0-2784972518
                  • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                  • Instruction ID: 549968497a47cf3ef6cf18957194610e3b4d3614fae087c89c05904cb71d6a83
                  • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                  • Instruction Fuzzy Hash: E53149B6900609DFDB10CF99C880AAEBBF5FF48325F24414AD841E7215D771EA49CFA4
                  Function 004533AB Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RaiseException.KERNEL32(C000000D,00000000,00000001,000000FF,?,00000008,PkGNG,PkGNG,004533A6,000000FF,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionRaise
                  • String ID: PkGNG
                  • API String ID: 3997070919-263838557
                  • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                  • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                  • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                  • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                  Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                  Download Yara Rule
                  APIs
                  • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FeaturePresentProcessor
                  • String ID:
                  • API String ID: 2325560087-3916222277
                  • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                  • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                  • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                  • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                  Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .
                  • API String ID: 0-248832578
                  • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                  • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                  • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                  • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                  Function 0089EB60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .
                  • API String ID: 0-248832578
                  • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                  • Instruction ID: c4ab2bdaee76b073899e274adce523ba3fd33c8d03cc355de412966f65bf5adc
                  • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                  • Instruction Fuzzy Hash: 0E31E571900249AFDF24EE78CC88EEA7BBDFF85318F1801A8F959D7251E6309D458B60
                  Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                  • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID: JD
                  • API String ID: 1084509184-2669065882
                  • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                  • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                  • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                  • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                  Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID: GetLocaleInfoEx
                  • API String ID: 2299586839-2904428671
                  • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                  • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                  • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                  • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                  Function 008964D7 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 10f83df0c90a6610a8b53eb74bb6e058e5cc0ba0fe3e6508f91dd3b8627a5a0d
                  • Instruction ID: 0817ac43131241bf040194f1f3000213e80f3484091411622c0d1549e3aecf0f
                  • Opcode Fuzzy Hash: 10f83df0c90a6610a8b53eb74bb6e058e5cc0ba0fe3e6508f91dd3b8627a5a0d
                  • Instruction Fuzzy Hash: EC022D71E002199FDF14DFA9C9806ADBBF1FF88324F198269D819E7344E731A951CB90
                  Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                  • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                  • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Name$ComputerUser
                  • String ID:
                  • API String ID: 4229901323-0
                  • Opcode ID: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                  • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                  • Opcode Fuzzy Hash: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                  • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                  Function 0041DBF3 Relevance: 2.8, Strings: 2, Instructions: 277COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG$wA
                  • API String ID: 0-1404076192
                  • Opcode ID: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                  • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                  • Opcode Fuzzy Hash: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                  • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                  Function 0043DEED Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0$PkGNG
                  • API String ID: 0-1056914901
                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                  • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                  • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                  Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                  • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$FreeProcess
                  • String ID:
                  • API String ID: 3859560861-0
                  • Opcode ID: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                  • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                  • Opcode Fuzzy Hash: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                  • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                  Function 008A3612 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008A360D,?,?,00000008,?,?,008A64C4,00000000), ref: 008A383F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionRaise
                  • String ID:
                  • API String ID: 3997070919-0
                  • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                  • Instruction ID: b08084ce56880ab206a6f9b6223a7b530b2b792cc6029ca1027e540ffcff4eb8
                  • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                  • Instruction Fuzzy Hash: D4B15175510609DFE719CF28C48AB647BE0FF46364F258668F89ACF6A1C339DA91CB40
                  Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                  • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                  • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                  • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                  Function 00883C3E Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                  • Instruction ID: 6c93e39020dac9dda1affcbdf4d8dabe8ecdda79711ca9312f501d36da26cb8a
                  • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                  • Instruction Fuzzy Hash: 1A123E726083008BD714EF69D851A1EF3E2FFC8B64F158A2DF485E7391DA74EA458B42
                  Function 0042742E Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG
                  • API String ID: 0-263838557
                  • Opcode ID: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                  • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                  • Opcode Fuzzy Hash: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                  • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                  Function 00877695 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG
                  • API String ID: 0-263838557
                  • Opcode ID: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                  • Instruction ID: 23e24684d68820acbcb76f8b7a41e4d1ecfc4f311d5e66a6a036dc70535a07f3
                  • Opcode Fuzzy Hash: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                  • Instruction Fuzzy Hash: 6702ACB16046518BC358CF2EEC9063AB7E1FB8D311744863EE595C7385EB35EA22CB94
                  Function 00426E9F Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG
                  • API String ID: 0-263838557
                  • Opcode ID: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                  • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                  • Opcode Fuzzy Hash: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                  • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                  Function 00877106 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG
                  • API String ID: 0-263838557
                  • Opcode ID: 55cc36af361bbb429cac2c1a49b81fe186fd90216d15d23d5244979f9e081e2e
                  • Instruction ID: 6bbd01628f74a9bb41aa3d089a2eac2213b50dcbd677bbef1e0f9240eb494177
                  • Opcode Fuzzy Hash: 55cc36af361bbb429cac2c1a49b81fe186fd90216d15d23d5244979f9e081e2e
                  • Instruction Fuzzy Hash: 97F1A0755142558FC348DF1DE8A183BB3E1FB89311B440A2EF582C3391EB75EA26CB96
                  Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free$InfoLocale_abort
                  • String ID:
                  • API String ID: 1663032902-0
                  • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                  • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                  • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                  • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                  Function 008A25FA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008984FC: GetLastError.KERNEL32(?,0088F9D7,0088AADC,0088F9D7,00474EF8,PkGNG,0088D0CC,FF8BC35D,00474EF8,00474EF8), ref: 00898500
                    • Part of subcall function 008984FC: _free.LIBCMT ref: 00898533
                    • Part of subcall function 008984FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00898574
                    • Part of subcall function 008984FC: _abort.LIBCMT ref: 0089857A
                    • Part of subcall function 008984FC: _free.LIBCMT ref: 0089855B
                    • Part of subcall function 008984FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00898568
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 008A264E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free$InfoLocale_abort
                  • String ID:
                  • API String ID: 1663032902-0
                  • Opcode ID: 92b4d6e99215bbe04ae581cd80a63159ab80ee2b3c46d7f2f4da99747f448a1f
                  • Instruction ID: b8c932d575df6fec8d608459c53391ff1eab4ea589d32f4896d916425bf0a381
                  • Opcode Fuzzy Hash: 92b4d6e99215bbe04ae581cd80a63159ab80ee2b3c46d7f2f4da99747f448a1f
                  • Instruction Fuzzy Hash: 2021927255120AABEB34AE2CDC42BBA77ACFF1A314F1041BAFD01D6942EB749D40CB55
                  Function 008A2282 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008984FC: GetLastError.KERNEL32(?,0088F9D7,0088AADC,0088F9D7,00474EF8,PkGNG,0088D0CC,FF8BC35D,00474EF8,00474EF8), ref: 00898500
                    • Part of subcall function 008984FC: _free.LIBCMT ref: 00898533
                    • Part of subcall function 008984FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00898574
                    • Part of subcall function 008984FC: _abort.LIBCMT ref: 0089857A
                  • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,00894D54,?,008A29D7,00000000,?,?,?), ref: 008A22F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID:
                  • API String ID: 1084509184-0
                  • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                  • Instruction ID: 7b3e3f6290201d6d5a8c0271084f479d956a4ce7d9baf7423dfed9addc3999ee
                  • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                  • Instruction Fuzzy Hash: 511125362007019FEF28AF3DC8916BABB92FF85359B18442DE94687B40D375B902C740
                  Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$InfoLocale_abort_free
                  • String ID:
                  • API String ID: 2692324296-0
                  • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                  • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                  • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                  • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                  Function 008A282A Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008984FC: GetLastError.KERNEL32(?,0088F9D7,0088AADC,0088F9D7,00474EF8,PkGNG,0088D0CC,FF8BC35D,00474EF8,00474EF8), ref: 00898500
                    • Part of subcall function 008984FC: _free.LIBCMT ref: 00898533
                    • Part of subcall function 008984FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00898574
                    • Part of subcall function 008984FC: _abort.LIBCMT ref: 0089857A
                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,008A25C8,00000000,00000000,?), ref: 008A2856
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$InfoLocale_abort_free
                  • String ID:
                  • API String ID: 2692324296-0
                  • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                  • Instruction ID: f26b8608e4ae48ca9dd308a6e1738ea6c7291f9b690cfb9722e8865a8117ac8a
                  • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                  • Instruction Fuzzy Hash: BAF0F432A00216BBEB389A6DC806BBA7768FF42714F040479FC05E3940EA38FD41C6D0
                  Function 008A231D Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008984FC: GetLastError.KERNEL32(?,0088F9D7,0088AADC,0088F9D7,00474EF8,PkGNG,0088D0CC,FF8BC35D,00474EF8,00474EF8), ref: 00898500
                    • Part of subcall function 008984FC: _free.LIBCMT ref: 00898533
                    • Part of subcall function 008984FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00898574
                    • Part of subcall function 008984FC: _abort.LIBCMT ref: 0089857A
                  • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,00894D54,?,008A299B,00894D54,?,?,?,?,?,00894D54,?,?), ref: 008A2369
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID:
                  • API String ID: 1084509184-0
                  • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                  • Instruction ID: 3bce8b841579d42c15ad922a21e0e32731121d02cae0661c797500e7e895c33a
                  • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                  • Instruction Fuzzy Hash: 25F022322003055FEF249F7D9881B7A7B91FF83368B04442DF945CBA61D6B59C028604
                  Function 00898BD4 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,008947B2,?,00000004), ref: 00898C27
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID:
                  • API String ID: 2299586839-0
                  • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                  • Instruction ID: 27d2bb4d53959852bc3d265c9ab33feafe98b16c167b1b0c80bd683179f5d706
                  • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                  • Instruction Fuzzy Hash: 05F0F03164020CFBCF017F64DC02F6EBB25FF09712F544565BC09A62A2DF318D20A6AA
                  Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00445909: RtlEnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                  • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalEnterEnumLocalesSectionSystem
                  • String ID:
                  • API String ID: 1272433827-0
                  • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                  • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                  • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                  • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                  Function 008986EB Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00895B70: RtlEnterCriticalSection.NTDLL(?), ref: 00895B7F
                  • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 00898723
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalEnterEnumLocalesSectionSystem
                  • String ID:
                  • API String ID: 1272433827-0
                  • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                  • Instruction ID: 2a9493fb387cdf251527b5a06e1735642116214ef9fe9247c4b3f1b9c3abd827
                  • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                  • Instruction Fuzzy Hash: 99F04F36A50604EFDB00EF6CD986B5D37E0FB04721F10456AF414DB2A2DB7489809F5A
                  Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                  • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID:
                  • API String ID: 1084509184-0
                  • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                  • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                  • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                  • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                  Function 008A2237 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008984FC: GetLastError.KERNEL32(?,0088F9D7,0088AADC,0088F9D7,00474EF8,PkGNG,0088D0CC,FF8BC35D,00474EF8,00474EF8), ref: 00898500
                    • Part of subcall function 008984FC: _free.LIBCMT ref: 00898533
                    • Part of subcall function 008984FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00898574
                    • Part of subcall function 008984FC: _abort.LIBCMT ref: 0089857A
                  • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,008A29F9,00894D54,?,?,?,?,?,00894D54,?,?,?), ref: 008A226E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID:
                  • API String ID: 1084509184-0
                  • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                  • Instruction ID: d86b977590b40d3933d98db2822b20a9ea77767538ce142e1e1cb0f5bb874dce
                  • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                  • Instruction Fuzzy Hash: 56F0553A34020597DB14AF7DD805B6ABF90FFC2714F0A0058FE05CB661C631D842C764
                  Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.2 Pro), ref: 0040F920
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID:
                  • API String ID: 2299586839-0
                  • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                  • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                  • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                  • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                  Function 0085FB73 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,0086579E,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,004674BC), ref: 0085FB87
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID:
                  • API String ID: 2299586839-0
                  • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                  • Instruction ID: 960b95f085c2c86a824df294b238ffa7cb51220a533b459b0da09c289c4c0f41
                  • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                  • Instruction Fuzzy Hash: 43D05B3474021C77D61096959C0BEAAB79CE705B52F000195BE05D72C0D9A05E0447D1
                  Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                  • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                  • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                  • Instruction Fuzzy Hash:
                  Function 0088E154 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                  • Instruction ID: bca8da43114d3e3458faf31495c3459b4c4f4a79814acd8bee1bf392c8eaae98
                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                  • Instruction Fuzzy Hash: FF5178B534064896EF38B9AC899EBBE779DFB42304F180429F982C7683D724ED41C356
                  Function 0088E383 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                  • Instruction ID: 7190dedec393eef704800fe323a42587ab09d4c0266cde12af3be728c22c3d4e
                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                  • Instruction Fuzzy Hash: 72519B71700F0997DB38B97C84597BF279AFB12308F18082AE98AC7383D655ED05839B
                  Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: @
                  • API String ID: 0-2766056989
                  • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                  • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                  • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                  • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                  Function 00877D3E Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: @
                  • API String ID: 0-2766056989
                  • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                  • Instruction ID: aef192d3807ea01cc19d61784fff8859be705784d97641040640836aae1773a4
                  • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                  • Instruction Fuzzy Hash: A64106769183458BC350CF29C58061AFBE1FFD8318F649A1EF889E3254D375E982CB82
                  Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                  • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                  • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                  • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                  Function 0041F18B Relevance: .6, Instructions: 598COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                  • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                  • Opcode Fuzzy Hash: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                  • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                  Function 0086F3F2 Relevance: .6, Instructions: 598COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                  • Instruction ID: c79ffafe9c85e8f4a7c78072035c515ce0575ca1d61237e94182b2d22c3aa61f
                  • Opcode Fuzzy Hash: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                  • Instruction Fuzzy Hash: 8532DD316087469BC725CB28E49076AB7E5FF84318F160A3DFA95CB293DB70D905CB86
                  Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                  • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                  • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                  Function 004381E8 Relevance: .3, Instructions: 341COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                  • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                  • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                  Function 0043797E Relevance: .3, Instructions: 331COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                  • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                  • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                  Function 00437566 Relevance: .3, Instructions: 323COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                  • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                  • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                  Function 0043E34B Relevance: .2, Instructions: 237COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                  • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                  • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                  • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                  Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                  • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                  • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                  • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                  Function 0088E5B2 Relevance: .2, Instructions: 237COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                  • Instruction ID: 728a7fe2616858911c89d5fb644dbdf85e482346add5627d50a2f25da362826b
                  • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                  • Instruction Fuzzy Hash: 2661597160071DA6DE38FA6C8895BBE3399FF71308F14092AE943DB282F611DD41C71A
                  Function 0088E80F Relevance: .2, Instructions: 237COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                  • Instruction ID: 88dede344cea4123bb450d8e1689029277c33fddcfd888adb4a6628f5e7415a0
                  • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                  • Instruction Fuzzy Hash: 6061863170070DA7DA78BA6C8CA5BBE2789FF01704F14043AE986DF6E2D691ED42C316
                  Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                  • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                  • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                  Function 00427C40 Relevance: .2, Instructions: 187COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                  • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                  • Opcode Fuzzy Hash: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                  • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                  Function 00877EA7 Relevance: .2, Instructions: 187COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                  • Instruction ID: 33e6d78200eb3ab418770b1fc02214ba62193405c7d26c3dadd2f0b35fe73dc0
                  • Opcode Fuzzy Hash: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                  • Instruction Fuzzy Hash: A1614772A0C3049BC304DB38D981A5BB7E4FFCC714F544E2EF599D6154EA71EA088B82
                  Function 004387F0 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                  • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                  • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                  Function 00888A57 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                  • Instruction ID: 2c55257f08b89bd552dd5eb69891f388163401738b9f616648ff72a6d63c5e5b
                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                  • Instruction Fuzzy Hash: 37110477241072C7D61CEA2DD8B46BBA795FAC53207ED426BD081CB7D8EE22A9449702
                  Function 00850D90 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                  • Instruction ID: f4a6812399ea76196d489e875a70bc7d4eef4588dffa078048a020c38cc8fbb5
                  • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                  • Instruction Fuzzy Hash: 7101F272A006048FDF21CF60C805BAA33F5FB86307F1545A4DD0AD7281E370AC498F80
                  Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                  • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                    • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                  • DeleteDC.GDI32(00000000), ref: 00418F65
                  • DeleteDC.GDI32(00000000), ref: 00418F68
                  • DeleteObject.GDI32(00000000), ref: 00418F6B
                  • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                  • DeleteDC.GDI32(00000000), ref: 00418F9D
                  • DeleteDC.GDI32(00000000), ref: 00418FA0
                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                  • GetCursorInfo.USER32(?), ref: 00418FE2
                  • GetIconInfo.USER32(?,?), ref: 00418FF8
                  • DeleteObject.GDI32(?), ref: 00419027
                  • DeleteObject.GDI32(?), ref: 00419034
                  • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                  • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                  • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                  • DeleteDC.GDI32(?), ref: 004191B7
                  • DeleteDC.GDI32(00000000), ref: 004191BA
                  • DeleteObject.GDI32(00000000), ref: 004191BD
                  • GlobalFree.KERNEL32(?), ref: 004191C8
                  • DeleteObject.GDI32(00000000), ref: 0041927C
                  • GlobalFree.KERNEL32(?), ref: 00419283
                  • DeleteDC.GDI32(?), ref: 00419293
                  • DeleteDC.GDI32(00000000), ref: 0041929E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                  • String ID: DISPLAY
                  • API String ID: 4256916514-865373369
                  • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                  • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                  • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                  • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                  Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                  • GetProcAddress.KERNEL32(00000000), ref: 00418174
                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                  • GetProcAddress.KERNEL32(00000000), ref: 00418188
                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                  • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                  • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                  • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                  • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                  • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                  • ResumeThread.KERNEL32(?), ref: 00418470
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                  • GetCurrentProcess.KERNEL32(?), ref: 00418492
                  • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                  • GetLastError.KERNEL32 ref: 004184B5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                  • API String ID: 4188446516-3035715614
                  • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                  • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                  • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                  • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                  Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                  • ExitProcess.KERNEL32 ref: 0040D80B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                  • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                  • API String ID: 1861856835-1447701601
                  • Opcode ID: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                  • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                  • Opcode Fuzzy Hash: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                  • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                  Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                  • ExitProcess.KERNEL32 ref: 0040D454
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                  • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                  • API String ID: 3797177996-2483056239
                  • Opcode ID: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                  • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                  • Opcode Fuzzy Hash: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                  • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                  Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                  • ExitProcess.KERNEL32(00000000), ref: 004124DB
                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                  • CloseHandle.KERNEL32(00000000), ref: 00412576
                  • GetCurrentProcessId.KERNEL32 ref: 0041257C
                  • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                  • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                  • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                  • Sleep.KERNEL32(000001F4), ref: 004126BD
                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                  • CloseHandle.KERNEL32(00000000), ref: 004126E4
                  • GetCurrentProcessId.KERNEL32 ref: 004126EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                  • String ID: .exe$8SG$WDH$exepath$open$temp_
                  • API String ID: 2649220323-436679193
                  • Opcode ID: 898725a538578efc964f3db07f9b73ad570f6512a08a1881f5d957b613d7759d
                  • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                  • Opcode Fuzzy Hash: 898725a538578efc964f3db07f9b73ad570f6512a08a1881f5d957b613d7759d
                  • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                  Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                  • SetEvent.KERNEL32 ref: 0041B2AA
                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                  • CloseHandle.KERNEL32 ref: 0041B2CB
                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                  • API String ID: 738084811-2094122233
                  • Opcode ID: 5d9aaae5b6bd8c51570089f5dfa29b9bb92cd3971647b6afa2a82d9b3ba17afa
                  • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                  • Opcode Fuzzy Hash: 5d9aaae5b6bd8c51570089f5dfa29b9bb92cd3971647b6afa2a82d9b3ba17afa
                  • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                  Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                  • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                  • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                  • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Write$Create
                  • String ID: RIFF$WAVE$data$fmt
                  • API String ID: 1602526932-4212202414
                  • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                  • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                  • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                  • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                  Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\documents-pdf.exe,00000001,00407688,C:\Users\user\Desktop\documents-pdf.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                  • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                  • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                  • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                  • GetProcAddress.KERNEL32(00000000), ref: 00407308
                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                  • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                  • GetProcAddress.KERNEL32(00000000), ref: 00407330
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: C:\Users\user\Desktop\documents-pdf.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                  • API String ID: 1646373207-2308395628
                  • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                  • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                  • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                  • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                  Function 00862717 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 190synchronizationsleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 00862736
                  • ExitProcess.KERNEL32(00000000), ref: 00862742
                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 008627BC
                  • OpenProcess.KERNEL32(00100000,00000000,?), ref: 008627CB
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 008627D6
                  • CloseHandle.KERNEL32(00000000), ref: 008627DD
                  • GetCurrentProcessId.KERNEL32 ref: 008627E3
                  • PathFileExistsW.SHLWAPI(?), ref: 00862814
                  • GetTempPathW.KERNEL32(00000104,?), ref: 00862877
                  • GetTempFileNameW.KERNEL32(?,0046C58C,00000000,?), ref: 00862891
                  • lstrcatW.KERNEL32(?,0046C598), ref: 008628A3
                    • Part of subcall function 0086C6E9: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0086C808,00000000,00000000,?), ref: 0086C728
                  • Sleep.KERNEL32(000001F4), ref: 00862924
                  • OpenProcess.KERNEL32(00100000,00000000,?), ref: 00862939
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00862944
                  • CloseHandle.KERNEL32(00000000), ref: 0086294B
                  • GetCurrentProcessId.KERNEL32 ref: 00862951
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExistsExitMutexNameSleeplstrcat
                  • String ID: 8SG$WDH$exepath
                  • API String ID: 1507772987-3485537677
                  • Opcode ID: 7382e5041dfdc3f17c085a94aaa2370adad8fa3b8a06acba275b45df2a203793
                  • Instruction ID: 10599cec872477cfcced92a6c85f0f0998f9408611df5ccc6f67cf1d033a5b50
                  • Opcode Fuzzy Hash: 7382e5041dfdc3f17c085a94aaa2370adad8fa3b8a06acba275b45df2a203793
                  • Instruction Fuzzy Hash: 6751F371A40329BBDB00ABA49C8AEFE736CFB15751F1001A5F801E71D2EF748E458B69
                  Function 00869118 Relevance: 30.3, APIs: 20, Instructions: 328windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateDCA.GDI32(0046C888,00000000,00000000,00000000), ref: 00869132
                  • CreateCompatibleDC.GDI32(00000000), ref: 0086913F
                    • Part of subcall function 008695C7: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 008695F7
                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 008691B5
                  • DeleteObject.GDI32(00000000), ref: 008691D2
                  • SelectObject.GDI32(00000000,00000000), ref: 008691F3
                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 0086922B
                  • GetCursorInfo.USER32(?), ref: 00869249
                  • GetIconInfo.USER32(?,?), ref: 0086925F
                  • DeleteObject.GDI32(?), ref: 0086928E
                  • DeleteObject.GDI32(?), ref: 0086929B
                  • DrawIcon.USER32(00000000,?,?,?), ref: 008692A8
                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,00473198,00000000,00000000,00660046), ref: 008692DE
                  • GetObjectA.GDI32(00000000,00000018,?), ref: 0086930A
                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00869377
                  • GlobalAlloc.KERNEL32(00000000,?), ref: 008693E6
                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0086940A
                  • DeleteObject.GDI32(00000000), ref: 00869424
                  • GlobalFree.KERNEL32(?), ref: 0086942F
                  • DeleteObject.GDI32(00000000), ref: 008694E3
                  • GlobalFree.KERNEL32(?), ref: 008694EA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Delete$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                  • String ID:
                  • API String ID: 2309981249-0
                  • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                  • Instruction ID: fec46785e69103a9fdfe4ae4a5a1c36378fb78287d40a8613de30f2d00bf6978
                  • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                  • Instruction Fuzzy Hash: 81C14771108345AFD724DF24D848B6BBBE9FB89711F01482DF989D7291DB34E908CB66
                  Function 0085D6C2 Relevance: 28.3, APIs: 4, Strings: 12, Instructions: 282registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00862AF2: TerminateProcess.KERNEL32(00000000,?,0085DAB1), ref: 00862B02
                    • Part of subcall function 00862AF2: WaitForSingleObject.KERNEL32(000000FF,?,0085DAB1), ref: 00862B15
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0085D7BF
                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0085D7D2
                    • Part of subcall function 0086C6E9: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0086C808,00000000,00000000,?), ref: 0086C728
                  • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000000), ref: 0085DA66
                  • ExitProcess.KERNEL32 ref: 0085DA72
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileProcess$CreateDeleteExecuteExitModuleNameObjectShellSingleTerminateWait
                  • String ID: 8SG$@qF$DqF@qF$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$dMG$exepath$fso.DeleteFolder "$while fso.FileExists("$xdF$xpF
                  • API String ID: 1359289687-3067577124
                  • Opcode ID: 183e3a47f802c39214e20746608bb0bd18ac8d6098a6ad0476d4d564e1fe9f82
                  • Instruction ID: 0e51bd2e58a779aa48447dd0ab63aed9e38bbdacebd862c94eb0001a537f3c2d
                  • Opcode Fuzzy Hash: 183e3a47f802c39214e20746608bb0bd18ac8d6098a6ad0476d4d564e1fe9f82
                  • Instruction Fuzzy Hash: A591D1312447005AC315FB38D892AAF7399FF91702F50482EBD4AD71A2EF646E4DC667
                  Function 00855901 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 278sleepfileprocessCOMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 0085594D
                    • Part of subcall function 00854D08: send.WS2_32(?,00000000,00000000,00000000), ref: 00854D9D
                  • __Init_thread_footer.LIBCMT ref: 0085598A
                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 00855AA6
                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00855AFE
                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00855B23
                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00855B50
                    • Part of subcall function 00884A68: __onexit.LIBCMT ref: 00884A6E
                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 00855C4B
                  • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 00855C65
                  • TerminateProcess.KERNEL32(00000000), ref: 00855C7E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileInit_thread_footerProcessSleep$CreateNamedPeekPipeReadTerminateWrite__onexitsend
                  • String ID: 0lG$0lG$0lG$0lG$0lG$cmd.exe$kG
                  • API String ID: 3407654705-1599548906
                  • Opcode ID: 263f862d2a4e5ab39b8f277b163e5cfdff8eedff8f4ffa8a5c5ab1abbd34aa3f
                  • Instruction ID: b5fda5f56a1c67c1efb286a306d7134e347b5daac529f8986485556578ceff81
                  • Opcode Fuzzy Hash: 263f862d2a4e5ab39b8f277b163e5cfdff8eedff8f4ffa8a5c5ab1abbd34aa3f
                  • Instruction Fuzzy Hash: 6391F671604604AFD711FF28AD52E6A77AAFB41341F01443EFC89D61A2EF259C4C8B6B
                  Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?), ref: 0041C0C7
                  • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                  • lstrlenW.KERNEL32(?), ref: 0041C0F8
                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                  • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                  • _wcslen.LIBCMT ref: 0041C1CC
                  • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                  • GetLastError.KERNEL32 ref: 0041C204
                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                  • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                  • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                  • GetLastError.KERNEL32 ref: 0041C261
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                  • String ID: ?
                  • API String ID: 3941738427-1684325040
                  • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                  • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                  • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                  • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                  Function 0086C313 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?), ref: 0086C32E
                  • _memcmp.LIBVCRUNTIME ref: 0086C346
                  • lstrlenW.KERNEL32(?), ref: 0086C35F
                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0086C39A
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0086C3AD
                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0086C3F1
                  • lstrcmpW.KERNEL32(?,?), ref: 0086C40C
                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0086C424
                  • _wcslen.LIBCMT ref: 0086C433
                  • FindVolumeClose.KERNEL32(?), ref: 0086C453
                  • GetLastError.KERNEL32 ref: 0086C46B
                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0086C498
                  • lstrcatW.KERNEL32(?,?), ref: 0086C4B1
                  • lstrcpyW.KERNEL32(?,?), ref: 0086C4C0
                  • GetLastError.KERNEL32 ref: 0086C4C8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                  • String ID: ?
                  • API String ID: 3941738427-1684325040
                  • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                  • Instruction ID: 0cc1c7eef1fce3cab8926a5da95321c2097444f0af0c22a5a770e1bb51284806
                  • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                  • Instruction Fuzzy Hash: B0419F71504306EBD720EF64D848ABBB7ECFF94715F11482AF585C2261EB74C948CBA6
                  Function 0089F714 Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                  • String ID:
                  • API String ID: 2719235668-0
                  • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                  • Instruction ID: 9320d0ed2268bd53c4902764523d2dc8bd14116a3da00cb5dd4436bfe5a05881
                  • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                  • Instruction Fuzzy Hash: 24D11372A00215AFEF29BFB88D41A6A7BE4FF01324F1C417DFA45E7283E67189408B51
                  Function 00868391 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 289threadinjectionprocessCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 008684B9
                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 008684D1
                  • GetThreadContext.KERNEL32(?,00000000), ref: 008684E7
                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0086850D
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0086858F
                  • TerminateProcess.KERNEL32(?,00000000), ref: 008685A3
                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 008685E3
                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 008686AD
                  • SetThreadContext.KERNEL32(?,00000000), ref: 008686CA
                  • ResumeThread.KERNEL32(?), ref: 008686D7
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 008686EE
                  • GetCurrentProcess.KERNEL32(?), ref: 008686F9
                  • TerminateProcess.KERNEL32(?,00000000), ref: 00868714
                  • GetLastError.KERNEL32 ref: 0086871C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                  • String ID: ntdll
                  • API String ID: 3275803005-3337577438
                  • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                  • Instruction ID: 3fb6da73662cf93c4d1c56af68f0e57b534147515108efed5924ca3e732b0418
                  • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                  • Instruction Fuzzy Hash: FBA16DB0604305EFDB209F64DD89B6ABBE8FF48745F100929F689D6191DB74DC44CB1A
                  Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                  • LoadLibraryA.KERNEL32(?), ref: 00414E52
                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                  • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                  • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                  • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                  • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                  • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                  • API String ID: 2490988753-3346362794
                  • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                  • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                  • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                  • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                  Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$EnvironmentVariable$_wcschr
                  • String ID:
                  • API String ID: 3899193279-0
                  • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                  • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                  • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                  • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                  Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                  • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                  • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                  • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                  • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                  • Sleep.KERNEL32(00000064), ref: 00412ECF
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                  • String ID: /stext "$0TG$0TG$NG$NG
                  • API String ID: 1223786279-2576077980
                  • Opcode ID: 12d3d07cae9bb5548afc1fb9c8ed18a8d547c15698e7b753bd281ace61954d5f
                  • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                  • Opcode Fuzzy Hash: 12d3d07cae9bb5548afc1fb9c8ed18a8d547c15698e7b753bd281ace61954d5f
                  • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                  Function 0085D338 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 260registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00862AF2: TerminateProcess.KERNEL32(00000000,?,0085DAB1), ref: 00862B02
                    • Part of subcall function 00862AF2: WaitForSingleObject.KERNEL32(000000FF,?,0085DAB1), ref: 00862B15
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0085D447
                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0085D45A
                    • Part of subcall function 0086BC70: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,008542E3), ref: 0086BC97
                  • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000000), ref: 0085D6B4
                  • ExitProcess.KERNEL32 ref: 0085D6BB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentDeleteExecuteExitFileModuleNameObjectShellSingleTerminateWait
                  • String ID: 8SG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$dMG$exepath$fso.DeleteFolder "$pth_unenc$while fso.FileExists("$xdF
                  • API String ID: 508158800-2455986086
                  • Opcode ID: 32eb6619aaf197860a1af8068c9beb44f56f7e691fd55cde280349b3b87ccd79
                  • Instruction ID: ca634d3fdf922f4d122848bc392da11e56b22d96b6403ebcb6566042b2a27c19
                  • Opcode Fuzzy Hash: 32eb6619aaf197860a1af8068c9beb44f56f7e691fd55cde280349b3b87ccd79
                  • Instruction Fuzzy Hash: FB81C0312447005BC715FB28D852AAF73A9FF91702F10482EB946D71A3EF64AE4DC65B
                  Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                  • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                  • API String ID: 1332880857-3714951968
                  • Opcode ID: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                  • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                  • Opcode Fuzzy Hash: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                  • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                  Function 0085A9C8 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32(00001388), ref: 0085A9E2
                    • Part of subcall function 0085A917: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0085A9EF), ref: 0085A94D
                    • Part of subcall function 0085A917: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0085A9EF), ref: 0085A95C
                    • Part of subcall function 0085A917: Sleep.KERNEL32(00002710,?,?,?,0085A9EF), ref: 0085A989
                    • Part of subcall function 0085A917: CloseHandle.KERNEL32(00000000,?,?,?,0085A9EF), ref: 0085A990
                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0085AA1E
                  • GetFileAttributesW.KERNEL32(00000000), ref: 0085AA2F
                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0085AA46
                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0085AAC0
                    • Part of subcall function 0086C77D: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00854396,00465E84), ref: 0086C796
                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0085ABC9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                  • String ID: 8SG$8SG$pQG$pQG$xdF$PG$PG
                  • API String ID: 3795512280-661585845
                  • Opcode ID: 66a0b5108e7ee58fc3900682d73f49ebd57c76f2f25b35366e866aa3198208e3
                  • Instruction ID: 69f0c41156e61c0de7ca4b80eac11f6af46b8eac0f46137f62777e86863628ae
                  • Opcode Fuzzy Hash: 66a0b5108e7ee58fc3900682d73f49ebd57c76f2f25b35366e866aa3198208e3
                  • Instruction Fuzzy Hash: 6A51B2312046005BCB09FB38D866ABF779AFF92342F40092DBD42E71D2EE14AD0C8657
                  Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                  • SetEvent.KERNEL32(00000000), ref: 00404E43
                  • CloseHandle.KERNEL32(00000000), ref: 00404E4C
                  • closesocket.WS2_32(FFFFFFFF), ref: 00404E5A
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404E91
                  • SetEvent.KERNEL32(00000000), ref: 00404EA2
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404EA9
                  • SetEvent.KERNEL32(00000000), ref: 00404EBA
                  • CloseHandle.KERNEL32(00000000), ref: 00404EBF
                  • CloseHandle.KERNEL32(00000000), ref: 00404EC4
                  • SetEvent.KERNEL32(00000000), ref: 00404ED1
                  • CloseHandle.KERNEL32(00000000), ref: 00404ED6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                  • String ID: PkGNG
                  • API String ID: 3658366068-263838557
                  • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                  • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                  • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                  • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                  Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$Info
                  • String ID:
                  • API String ID: 2509303402-0
                  • Opcode ID: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                  • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                  • Opcode Fuzzy Hash: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                  • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                  Function 0089603E Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$Info
                  • String ID:
                  • API String ID: 2509303402-0
                  • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                  • Instruction ID: a27cb6c87493f50c1e627bbdf30722073e027b04068454323c1158a00d6aed1c
                  • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                  • Instruction Fuzzy Hash: AFB18C71900205AFDF21EFA9C881BEEBBF4FF08304F18446DF859E7242E675A9559B60
                  Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                  • __aulldiv.LIBCMT ref: 00408D88
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                  • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                  • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                  • CloseHandle.KERNEL32(00000000), ref: 00409037
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                  • API String ID: 3086580692-2582957567
                  • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                  • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                  • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                  • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                  Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32(00001388), ref: 0040A77B
                    • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                    • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                    • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                    • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                  • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                  • String ID: 8SG$8SG$pQG$pQG$PG$PG
                  • API String ID: 3795512280-1152054767
                  • Opcode ID: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                  • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                  • Opcode Fuzzy Hash: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                  • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                  Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                  Download Yara Rule
                  APIs
                  • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                  • WSAGetLastError.WS2_32 ref: 00404A21
                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                  • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                  • API String ID: 994465650-3229884001
                  • Opcode ID: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                  • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                  • Opcode Fuzzy Hash: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                  • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                  Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___free_lconv_mon.LIBCMT ref: 0045138A
                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                  • _free.LIBCMT ref: 0045137F
                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                  • _free.LIBCMT ref: 004513A1
                  • _free.LIBCMT ref: 004513B6
                  • _free.LIBCMT ref: 004513C1
                  • _free.LIBCMT ref: 004513E3
                  • _free.LIBCMT ref: 004513F6
                  • _free.LIBCMT ref: 00451404
                  • _free.LIBCMT ref: 0045140F
                  • _free.LIBCMT ref: 00451447
                  • _free.LIBCMT ref: 0045144E
                  • _free.LIBCMT ref: 0045146B
                  • _free.LIBCMT ref: 00451483
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                  • String ID:
                  • API String ID: 161543041-0
                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                  • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                  • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                  Function 008A15AD Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___free_lconv_mon.LIBCMT ref: 008A15F1
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A0806
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A0818
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A082A
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A083C
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A084E
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A0860
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A0872
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A0884
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A0896
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A08A8
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A08BA
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A08CC
                    • Part of subcall function 008A07E9: _free.LIBCMT ref: 008A08DE
                  • _free.LIBCMT ref: 008A15E6
                    • Part of subcall function 00896A69: HeapFree.KERNEL32(00000000,00000000,?,008A0F56,?,00000000,?,00000000,?,008A11FA,?,00000007,?,?,008A1745,?), ref: 00896A7F
                    • Part of subcall function 00896A69: GetLastError.KERNEL32(?,?,008A0F56,?,00000000,?,00000000,?,008A11FA,?,00000007,?,?,008A1745,?,?), ref: 00896A91
                  • _free.LIBCMT ref: 008A1608
                  • _free.LIBCMT ref: 008A161D
                  • _free.LIBCMT ref: 008A1628
                  • _free.LIBCMT ref: 008A164A
                  • _free.LIBCMT ref: 008A165D
                  • _free.LIBCMT ref: 008A166B
                  • _free.LIBCMT ref: 008A1676
                  • _free.LIBCMT ref: 008A16AE
                  • _free.LIBCMT ref: 008A16B5
                  • _free.LIBCMT ref: 008A16D2
                  • _free.LIBCMT ref: 008A16EA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                  • String ID:
                  • API String ID: 161543041-0
                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                  • Instruction ID: 10025c1c3bf40ce20c11443ac75f12d412411982dac83e3ab8af0b62604a61a0
                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                  • Instruction Fuzzy Hash: 05319E71A047019FEF20AABAD849B5673E9FF11350F18851DF458EB951EF30AD508B11
                  Function 0085D09B Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 203COMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 0085D0A9
                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0085D0C2
                  • _wcslen.LIBCMT ref: 0085D188
                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0085D210
                  • _wcslen.LIBCMT ref: 0085D268
                  • CloseHandle.KERNEL32 ref: 0085D2CF
                  • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000001), ref: 0085D2ED
                  • ExitProcess.KERNEL32 ref: 0085D304
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _wcslen$CreateDirectory$CloseExecuteExitHandleProcessShell
                  • String ID: 6$C:\Users\user\Desktop\documents-pdf.exe$xdF
                  • API String ID: 3303048660-1053169332
                  • Opcode ID: ca32f07cd236d0746c7fb7d4d39a7773008b6655b21f0b5af9e2845f06c6a8c0
                  • Instruction ID: ee570c4e7a9f29067dcdbc4e51e44c53cfdcfcb002dcdbde1d9111f0163c427c
                  • Opcode Fuzzy Hash: ca32f07cd236d0746c7fb7d4d39a7773008b6655b21f0b5af9e2845f06c6a8c0
                  • Instruction Fuzzy Hash: 7151BF21284B00ABD619B7389C62B6F7759FB85703F40482DFD06DA2D3DE58AD0D876B
                  Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                    • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                    • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                    • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                  • ExitProcess.KERNEL32 ref: 0040D9FF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                  • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                  • API String ID: 1913171305-3159800282
                  • Opcode ID: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                  • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                  • Opcode Fuzzy Hash: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                  • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                  Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                  • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                  • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                  • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                  Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                  • GetLastError.KERNEL32 ref: 00455D6F
                  • __dosmaperr.LIBCMT ref: 00455D76
                  • GetFileType.KERNEL32(00000000), ref: 00455D82
                  • GetLastError.KERNEL32 ref: 00455D8C
                  • __dosmaperr.LIBCMT ref: 00455D95
                  • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                  • CloseHandle.KERNEL32(?), ref: 00455EFF
                  • GetLastError.KERNEL32 ref: 00455F31
                  • __dosmaperr.LIBCMT ref: 00455F38
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                  • String ID: H
                  • API String ID: 4237864984-2852464175
                  • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                  • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                  • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                  • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                  Function 0044ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                  • __alloca_probe_16.LIBCMT ref: 0044AD5B
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                  • __alloca_probe_16.LIBCMT ref: 0044AE40
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                  • __freea.LIBCMT ref: 0044AEB0
                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                  • __freea.LIBCMT ref: 0044AEB9
                  • __freea.LIBCMT ref: 0044AEDE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                  • String ID: PkGNG$tC
                  • API String ID: 3864826663-4196309852
                  • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                  • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                  • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                  • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                  Function 008698C9 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0$1$2$3$4$5$6$7$VG
                  • API String ID: 0-1861860590
                  • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                  • Instruction ID: df723c43a3f63e5ef86e12db5739fcbfff960171d63c16a6ef9e568915c164d3
                  • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                  • Instruction Fuzzy Hash: 9671D1B45483119EE704EF24D862BAAB7D9FF54312F10880DF992971D2EA74994CC7A3
                  Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: \&G$\&G$`&G
                  • API String ID: 269201875-253610517
                  • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                  • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                  • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                  • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                  Function 008A0D0C Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: \&G$\&G$`&G
                  • API String ID: 269201875-253610517
                  • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                  • Instruction ID: 4bd58e8fae7a7a5323ced73c673549a6e277ef70f31ee049e0b0dff50323b127
                  • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                  • Instruction Fuzzy Hash: 0D61D272900209AFEB20DFA8C841BAABBF5FF0A710F14456AF944EB651E730AD519F50
                  Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 65535$udp
                  • API String ID: 0-1267037602
                  • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                  • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                  • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                  • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                  Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 0040AD73
                  • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                  • GetForegroundWindow.USER32 ref: 0040AD84
                  • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                  • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                    • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                  • String ID: [${ User has been idle for $ minutes }$]
                  • API String ID: 911427763-3954389425
                  • Opcode ID: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                  • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                  • Opcode Fuzzy Hash: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                  • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                  Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                  • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                  • __dosmaperr.LIBCMT ref: 0043A926
                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                  • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                  • __dosmaperr.LIBCMT ref: 0043A963
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                  • __dosmaperr.LIBCMT ref: 0043A9B7
                  • _free.LIBCMT ref: 0043A9C3
                  • _free.LIBCMT ref: 0043A9CA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                  • String ID:
                  • API String ID: 2441525078-0
                  • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                  • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                  • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                  • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                  Function 0088AB21 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00851FBC,?,00000050,00465E10,00000000), ref: 0088AB79
                  • GetLastError.KERNEL32(?,?,00851FBC,?,00000050,00465E10,00000000), ref: 0088AB86
                  • __dosmaperr.LIBCMT ref: 0088AB8D
                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00851FBC,?,00000050,00465E10,00000000), ref: 0088ABB9
                  • GetLastError.KERNEL32(?,?,?,00851FBC,?,00000050,00465E10,00000000), ref: 0088ABC3
                  • __dosmaperr.LIBCMT ref: 0088ABCA
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00465E10,00000000,00000000,?,?,?,?,?,?,00851FBC,?), ref: 0088AC0D
                  • GetLastError.KERNEL32(?,?,?,?,?,?,00851FBC,?,00000050,00465E10,00000000), ref: 0088AC17
                  • __dosmaperr.LIBCMT ref: 0088AC1E
                  • _free.LIBCMT ref: 0088AC2A
                  • _free.LIBCMT ref: 0088AC31
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                  • String ID:
                  • API String ID: 2441525078-0
                  • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                  • Instruction ID: 0b03eb9cfe8736f4a18e9d0d89e83fb5a697d725fec04e759a2a78ec93e2a133
                  • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                  • Instruction Fuzzy Hash: 3031B17250020AFFEF19BFA8DC45CAE3B69FF04324B14416AF910E6191EA31CD10DBA2
                  Function 00862D56 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 482fileCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00862D6F
                    • Part of subcall function 0086BC70: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,008542E3), ref: 0086BC97
                    • Part of subcall function 0086880A: CloseHandle.KERNEL32(0085435C,?,?,0085435C,00465E84), ref: 00868820
                    • Part of subcall function 0086880A: CloseHandle.KERNEL32(00465E84,?,?,0085435C,00465E84), ref: 00868829
                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00863067
                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 0086309E
                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 008630DA
                    • Part of subcall function 00854D08: send.WS2_32(?,00000000,00000000,00000000), ref: 00854D9D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
                  • String ID: ,aF$0TG$0TG$NG$NG
                  • API String ID: 1937857116-3104526304
                  • Opcode ID: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                  • Instruction ID: 5a665601d7124ea92b3c255ad3ca7790f2b074c23e2c8880a4c12df5091f56c3
                  • Opcode Fuzzy Hash: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                  • Instruction Fuzzy Hash: 2B0232311487808BC325FB78D891AEFB395FFA5341F50492DB98AC2196EF706A4DC653
                  Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(?,?), ref: 004054BF
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                  • TranslateMessage.USER32(?), ref: 0040557E
                  • DispatchMessageA.USER32(?), ref: 00405589
                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                  • String ID: CloseChat$DisplayMessage$GetMessage
                  • API String ID: 2956720200-749203953
                  • Opcode ID: 8c51573d1beb858a4e11cb7dec02f092789031ec36fc020e11151897ae52992b
                  • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                  • Opcode Fuzzy Hash: 8c51573d1beb858a4e11cb7dec02f092789031ec36fc020e11151897ae52992b
                  • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                  Function 00855707 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(?,?), ref: 00855726
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 008557D6
                  • TranslateMessage.USER32(?), ref: 008557E5
                  • DispatchMessageA.USER32(?), ref: 008557F0
                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 008558A8
                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 008558E0
                    • Part of subcall function 00854D08: send.WS2_32(?,00000000,00000000,00000000), ref: 00854D9D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                  • String ID: CloseChat$DisplayMessage$GetMessage
                  • API String ID: 2956720200-749203953
                  • Opcode ID: 39c70f7a9fb62d047285317ad68f4ff50d9b26878aa9747946ac0a7af0469701
                  • Instruction ID: aeaa5c909e393c9a170a31e2f515de77597d1effed03ed94460f0762704d7323
                  • Opcode Fuzzy Hash: 39c70f7a9fb62d047285317ad68f4ff50d9b26878aa9747946ac0a7af0469701
                  • Instruction Fuzzy Hash: 67418D326046019BCB14FB78DC568AE77A8FB86712F40492DF916D3292EF249909C757
                  Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                  • CloseHandle.KERNEL32(00000000), ref: 00417E20
                  • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00417DE3
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                  • String ID: 0VG$0VG$<$@$Temp
                  • API String ID: 1704390241-2575729100
                  • Opcode ID: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                  • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                  • Opcode Fuzzy Hash: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                  • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                  Function 00861103 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00861110
                  • int.LIBCPMT ref: 00861123
                    • Part of subcall function 0085E363: std::_Lockit::_Lockit.LIBCPMT ref: 0085E374
                    • Part of subcall function 0085E363: std::_Lockit::~_Lockit.LIBCPMT ref: 0085E38E
                  • std::_Facet_Register.LIBCPMT ref: 00861163
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0086116C
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0086118A
                  • __Init_thread_footer.LIBCMT ref: 008611CB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                  • String ID: ,kG$0kG$@!G
                  • API String ID: 3815856325-312998898
                  • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                  • Instruction ID: d54f8aa8008bb278760c38caea83efa604d69c9f265f6e9340ed341219c90159
                  • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                  • Instruction Fuzzy Hash: 872129329005149BCB04FB6CD8458DD77A9FF06720B26416AF904E7292EF31AE458BDA
                  Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                  Download Yara Rule
                  APIs
                  • OpenClipboard.USER32 ref: 0041697C
                  • EmptyClipboard.USER32 ref: 0041698A
                  • CloseClipboard.USER32 ref: 00416990
                  • OpenClipboard.USER32 ref: 00416997
                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                  • CloseClipboard.USER32 ref: 004169BF
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                  • String ID: !D@
                  • API String ID: 2172192267-604454484
                  • Opcode ID: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                  • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                  • Opcode Fuzzy Hash: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                  • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                  Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                  • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                  • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                  • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                  Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 004481B5
                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                  • _free.LIBCMT ref: 004481C1
                  • _free.LIBCMT ref: 004481CC
                  • _free.LIBCMT ref: 004481D7
                  • _free.LIBCMT ref: 004481E2
                  • _free.LIBCMT ref: 004481ED
                  • _free.LIBCMT ref: 004481F8
                  • _free.LIBCMT ref: 00448203
                  • _free.LIBCMT ref: 0044820E
                  • _free.LIBCMT ref: 0044821C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                  • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                  • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                  • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                  Function 00898408 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 0089841C
                    • Part of subcall function 00896A69: HeapFree.KERNEL32(00000000,00000000,?,008A0F56,?,00000000,?,00000000,?,008A11FA,?,00000007,?,?,008A1745,?), ref: 00896A7F
                    • Part of subcall function 00896A69: GetLastError.KERNEL32(?,?,008A0F56,?,00000000,?,00000000,?,008A11FA,?,00000007,?,?,008A1745,?,?), ref: 00896A91
                  • _free.LIBCMT ref: 00898428
                  • _free.LIBCMT ref: 00898433
                  • _free.LIBCMT ref: 0089843E
                  • _free.LIBCMT ref: 00898449
                  • _free.LIBCMT ref: 00898454
                  • _free.LIBCMT ref: 0089845F
                  • _free.LIBCMT ref: 0089846A
                  • _free.LIBCMT ref: 00898475
                  • _free.LIBCMT ref: 00898483
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                  • Instruction ID: abf3fcd464edd180be9ff0638339c56989189e081a2d4552a97825bd47a0e325
                  • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                  • Instruction Fuzzy Hash: 9C116676600119EFCF01FFDAD842CD93BA5FF04750F5581AAB9089B222EA31DB609B41
                  Function 00862399 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 238threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcessId.KERNEL32 ref: 008623A8
                    • Part of subcall function 00863B19: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 00863B27
                    • Part of subcall function 00863B19: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0085C3F4,00466C58,00000001,000000AF,004660B4), ref: 00863B42
                    • Part of subcall function 00863B19: RegCloseKey.ADVAPI32(004660B4,?,?,?,0085C3F4,00466C58,00000001,000000AF,004660B4), ref: 00863B4D
                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 008623E8
                  • CloseHandle.KERNEL32(00000000), ref: 008623F7
                  • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 0086244D
                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 008626BC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                  • String ID: WDH
                  • API String ID: 3018269243-2057347716
                  • Opcode ID: b4c3793ea6c4abfbce30ba5e71894ba14c4d78db8eedaf37be1c5a9400dd77cf
                  • Instruction ID: 6083b55873426a2c6bfd57a9b5d386090bb9acd4209160e0cec00f4f2d9e2a41
                  • Opcode Fuzzy Hash: b4c3793ea6c4abfbce30ba5e71894ba14c4d78db8eedaf37be1c5a9400dd77cf
                  • Instruction Fuzzy Hash: F171913124460067C614FB78DD97DAF73A4FF92702F40056DB882D21A2EF64AA4CC7A7
                  Function 0085F716 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 210processCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0085F730
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0085F75B
                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0085F777
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0085F7F6
                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0085F805
                    • Part of subcall function 0086C4D5: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0086C4ED
                    • Part of subcall function 0086C4D5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0086C500
                  • CloseHandle.KERNEL32(00000000), ref: 0085F910
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                  • String ID: xdF$xdF
                  • API String ID: 3756808967-3986811408
                  • Opcode ID: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                  • Instruction ID: e1bcbb4945a69f1eb20c53f1ca15d4c804407daecdec07291e88a6d259322480
                  • Opcode Fuzzy Hash: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                  • Instruction Fuzzy Hash: 0D713F311583409BD714EB24D8519AF77A4FF91346F40482DFA86C31A2EF34AA4DCB97
                  Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Eventinet_ntoa
                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                  • API String ID: 3578746661-3604713145
                  • Opcode ID: 9e55980f675333567232ede691b357dd1d43169c01c59944075cf6fb5fc4d8aa
                  • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                  • Opcode Fuzzy Hash: 9e55980f675333567232ede691b357dd1d43169c01c59944075cf6fb5fc4d8aa
                  • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                  Function 00861797 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Eventinet_ntoa
                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                  • API String ID: 3578746661-3604713145
                  • Opcode ID: 10eb1960a8d8ce6813e19caa070b236760d69188d96698ceea7a474dae621fae
                  • Instruction ID: ddde49b371b67d18952f98cb67f34cd6528db6a680fe86f7231cfca0be4f019f
                  • Opcode Fuzzy Hash: 10eb1960a8d8ce6813e19caa070b236760d69188d96698ceea7a474dae621fae
                  • Instruction Fuzzy Hash: A251F431A042009BCA14F73CC92AA6E7BA5FB91311F454529F806D76E2EF648D49C797
                  Function 0086A2AC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 176timeCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 0086A2B1
                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0086A36F
                  • GetLocalTime.KERNEL32(?), ref: 0086A3FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateDirectoryH_prologLocalTime
                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                  • API String ID: 2709065311-1431523004
                  • Opcode ID: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                  • Instruction ID: aa804ab76e8c5163b4681caa2a9559c459979a1e3e52fe61b7a2962bcc9581b7
                  • Opcode Fuzzy Hash: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                  • Instruction Fuzzy Hash: 3A51D671A402149ACB14FBB8CC52AFE7768FF56301F44402AF905EB292EF745E49CB66
                  Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlDecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: DecodePointer
                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                  • API String ID: 3527080286-3064271455
                  • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                  • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                  • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                  • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                  Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                  • __fassign.LIBCMT ref: 0044B4F9
                  • __fassign.LIBCMT ref: 0044B514
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B559
                  • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B592
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                  • String ID: PkGNG
                  • API String ID: 1324828854-263838557
                  • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                  • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                  • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                  • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                  Function 0089B6A3 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
                  Download Yara Rule
                  APIs
                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0089BE18,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0089B6E5
                  • __fassign.LIBCMT ref: 0089B760
                  • __fassign.LIBCMT ref: 0089B77B
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0089B7A1
                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0089BE18,00000000,?,?,?,?,?,?,?,?,PkGNG,0089BE18,?), ref: 0089B7C0
                  • WriteFile.KERNEL32(?,?,00000001,0089BE18,00000000,?,?,?,?,?,?,?,?,PkGNG,0089BE18,?), ref: 0089B7F9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                  • String ID: PkGNG
                  • API String ID: 1324828854-263838557
                  • Opcode ID: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                  • Instruction ID: 6293012f8925435ddd0b909da7d869b4089f91f998846a1b1bd92e458555850a
                  • Opcode Fuzzy Hash: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                  • Instruction Fuzzy Hash: FC51C370900209AFCF10DFA8E981AEEBBF9FF08310F18456AE955F7291E7709941CB61
                  Function 00865028 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 109libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00865077
                  • LoadLibraryA.KERNEL32(?), ref: 008650B9
                  • LoadLibraryA.KERNEL32(?), ref: 00865118
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00865140
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad$AddressDirectoryProcSystem
                  • String ID: IA$EIA$EIA$KA
                  • API String ID: 4217395396-533031392
                  • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                  • Instruction ID: 6c73b21704903af2a49d84e1053be90d7278d2929cb7651d01ca03fe7bc1ac0f
                  • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                  • Instruction Fuzzy Hash: 8531F2B1505B16ABC721AF28DC88E9FB7E8FF85744F064925F984D3250E734D9048AEB
                  Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                  • Sleep.KERNEL32(00000064), ref: 0041755C
                  • DeleteFileW.KERNEL32(00000000), ref: 00417590
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CreateDeleteExecuteShellSleep
                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                  • API String ID: 1462127192-2001430897
                  • Opcode ID: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                  • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                  • Opcode Fuzzy Hash: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                  • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                  Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                  • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\documents-pdf.exe), ref: 004074D9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentProcess
                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                  • API String ID: 2050909247-4242073005
                  • Opcode ID: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                  • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                  • Opcode Fuzzy Hash: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                  • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                  Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  • _strftime.LIBCMT ref: 00401D50
                    • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                  • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                  • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                  • API String ID: 3809562944-243156785
                  • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                  • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                  • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                  • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                  Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                  • int.LIBCPMT ref: 00410EBC
                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                  • std::_Facet_Register.LIBCPMT ref: 00410EFC
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                  • __Init_thread_footer.LIBCMT ref: 00410F64
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                  • String ID: ,kG$0kG
                  • API String ID: 3815856325-2015055088
                  • Opcode ID: 520139271163b524b0f3c27c15f9cb8b3411f5b4579fbd911df66d6a7deba011
                  • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                  • Opcode Fuzzy Hash: 520139271163b524b0f3c27c15f9cb8b3411f5b4579fbd911df66d6a7deba011
                  • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                  Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                  Download Yara Rule
                  APIs
                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                  • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                  • waveInStart.WINMM ref: 00401CFE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                  • String ID: dMG$|MG$PG
                  • API String ID: 1356121797-532278878
                  • Opcode ID: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                  • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                  • Opcode Fuzzy Hash: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                  • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                  Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                    • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                    • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                    • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                  • lstrcpyn.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                  • Shell_NotifyIcon.SHELL32(00000000,00474B48), ref: 0041D56E
                  • TranslateMessage.USER32(?), ref: 0041D57A
                  • DispatchMessageA.USER32(?), ref: 0041D584
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                  • String ID: Remcos
                  • API String ID: 1970332568-165870891
                  • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                  • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                  • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                  • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                  Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                  • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                  • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                  • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                  Function 0089D067 Relevance: 13.8, APIs: 9, Instructions: 300COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                  • Instruction ID: 85e5111d468306239c0290325f73965196ad4fded917f36017b8ca8e7b2ed410
                  • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                  • Instruction Fuzzy Hash: D5C19A74A04349AFDF11AFA8CC41BADBBB4FF19310F1841A8E814E7392D7759941CB6A
                  Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                  Download Yara Rule
                  APIs
                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                  • __alloca_probe_16.LIBCMT ref: 00453F6A
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                  • __alloca_probe_16.LIBCMT ref: 00454014
                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                  • __freea.LIBCMT ref: 00454083
                  • __freea.LIBCMT ref: 0045408F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                  • String ID:
                  • API String ID: 201697637-0
                  • Opcode ID: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                  • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                  • Opcode Fuzzy Hash: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                  • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                  Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                  • _memcmp.LIBVCRUNTIME ref: 004454A4
                  • _free.LIBCMT ref: 00445515
                  • _free.LIBCMT ref: 0044552E
                  • _free.LIBCMT ref: 00445560
                  • _free.LIBCMT ref: 00445569
                  • _free.LIBCMT ref: 00445575
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorLast$_abort_memcmp
                  • String ID: C
                  • API String ID: 1679612858-1037565863
                  • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                  • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                  • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                  • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                  Function 00895461 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008984FC: GetLastError.KERNEL32(?,0088F9D7,0088AADC,0088F9D7,00474EF8,PkGNG,0088D0CC,FF8BC35D,00474EF8,00474EF8), ref: 00898500
                    • Part of subcall function 008984FC: _free.LIBCMT ref: 00898533
                    • Part of subcall function 008984FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00898574
                    • Part of subcall function 008984FC: _abort.LIBCMT ref: 0089857A
                  • _memcmp.LIBVCRUNTIME ref: 0089570B
                  • _free.LIBCMT ref: 0089577C
                  • _free.LIBCMT ref: 00895795
                  • _free.LIBCMT ref: 008957C7
                  • _free.LIBCMT ref: 008957D0
                  • _free.LIBCMT ref: 008957DC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorLast$_abort_memcmp
                  • String ID: C
                  • API String ID: 1679612858-1037565863
                  • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                  • Instruction ID: 912ab2658ec1fa77b30a3808d5f761d38ad64ac947ad6c4c2a7b966da4926ca1
                  • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                  • Instruction Fuzzy Hash: 52B13875A01629DBDF25EF18C884AADB7B5FF48304F5485AAE849E7351E730AE90CF40
                  Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: tcp$udp
                  • API String ID: 0-3725065008
                  • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                  • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                  • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                  • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                  Function 0086B33F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0086B434
                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0086B470
                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 0086B486
                  • SetEvent.KERNEL32 ref: 0086B511
                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0086B522
                  • CloseHandle.KERNEL32 ref: 0086B532
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
                  • String ID: open "
                  • API String ID: 1811012380-3219617982
                  • Opcode ID: 1962c3d4fb40b8be99efedbcc0b43e05d801a0b69fe6eb8e43eb8b8166c4a5cb
                  • Instruction ID: 4cd1dd4ff11fe1517a62465772a87ed815bbedb0967a8d39980bfeb7860bd742
                  • Opcode Fuzzy Hash: 1962c3d4fb40b8be99efedbcc0b43e05d801a0b69fe6eb8e43eb8b8166c4a5cb
                  • Instruction Fuzzy Hash: 6F51A4B12843046ED314B738DC92EBF779CFB91349F10042AF546D21A2EF609D4C8A6B
                  Function 00854B2F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 144networkCOMMON
                  Download Yara Rule
                  APIs
                  • connect.WS2_32(FFFFFFFF,00000000,00000000), ref: 00854B47
                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00854C67
                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00854C75
                  • WSAGetLastError.WS2_32 ref: 00854C88
                    • Part of subcall function 0086B7E7: GetLocalTime.KERNEL32(00000000), ref: 0086B801
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                  • String ID: Connection Failed: $PkGNG$TLS Handshake... |
                  • API String ID: 994465650-2799020840
                  • Opcode ID: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                  • Instruction ID: 3442c9c5d16b7dc1097e0adb87b311a3e50885fc86e1f526799874214c244d06
                  • Opcode Fuzzy Hash: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                  • Instruction Fuzzy Hash: 08410771A006017B8B18777D8D1B62D7A25FF8230AF500159FC02C7A97EE66DC6887D3
                  Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 004018BE
                  • RtlExitUserThread.KERNEL32(00000000), ref: 004018F6
                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                  • String ID: PkG$XMG$NG$NG
                  • API String ID: 1265842484-3151166067
                  • Opcode ID: a361ccbb91256eacbef4dd76af69142fab6481d8ad58eb8775f918dae1bd9ce4
                  • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                  • Opcode Fuzzy Hash: a361ccbb91256eacbef4dd76af69142fab6481d8ad58eb8775f918dae1bd9ce4
                  • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                  Function 00851AD1 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 00851B25
                  • RtlExitUserThread.NTDLL(00000000), ref: 00851B5D
                  • waveInUnprepareHeader.WINMM(00001E40,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00851C6B
                    • Part of subcall function 00884A68: __onexit.LIBCMT ref: 00884A6E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                  • String ID: PkG$XMG$NG$NG
                  • API String ID: 1265842484-3151166067
                  • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                  • Instruction ID: 196e3205599657510a57f0c5a247a2de5ad6cb78b67ae8c4c9be9837ff3e7e2f
                  • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                  • Instruction Fuzzy Hash: FA41C1312086509BC725FB28ED96AAE73A6FB92312F40452DF849D61E2EF306D4DC717
                  Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                    • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                    • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000), ref: 00404BC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                  • String ID: .part
                  • API String ID: 1303771098-3499674018
                  • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                  • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                  • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                  • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                  Function 0085A55A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0085A575
                  • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0085A583
                  • GetLastError.KERNEL32 ref: 0085A58F
                    • Part of subcall function 0086B7E7: GetLocalTime.KERNEL32(00000000), ref: 0086B801
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0085A5DD
                  • TranslateMessage.USER32(?), ref: 0085A5EC
                  • DispatchMessageA.USER32(?), ref: 0085A5F7
                  Strings
                  • Keylogger initialization failure: error , xrefs: 0085A5A3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                  • String ID: Keylogger initialization failure: error
                  • API String ID: 3219506041-952744263
                  • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                  • Instruction ID: 599477685a0ad1b5b6356eec83a048a746dd275ccdaf9f82f2730a4dcc3d0f62
                  • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                  • Instruction Fuzzy Hash: FA116D31514201EBC714BBB99D4996A76ECFB95712B500679FC42D2191FE30D904C6A7
                  Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                  Download Yara Rule
                  APIs
                  • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                  • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                  • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Console$Window$AllocOutputShow
                  • String ID: Remcos v$5.1.2 Pro$CONOUT$
                  • API String ID: 4067487056-1584637518
                  • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                  • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                  • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                  • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                  Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • SendInput.USER32 ref: 00419A25
                  • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                  • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                    • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: InputSend$Virtual
                  • String ID:
                  • API String ID: 1167301434-0
                  • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                  • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                  • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                  • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                  Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: __freea$__alloca_probe_16_free
                  • String ID: a/p$am/pm$h{D
                  • API String ID: 2936374016-2303565833
                  • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                  • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                  • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                  • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                  Function 00899477 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 008994F9
                  • _free.LIBCMT ref: 0089951D
                  • _free.LIBCMT ref: 008996A4
                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 008996B6
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 0089972E
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 0089975B
                  • _free.LIBCMT ref: 00899870
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                  • String ID:
                  • API String ID: 314583886-0
                  • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                  • Instruction ID: 8ba672231f42f9984fb2c095844c0c6ae7d69b148e2106291daf9ccbde1bbe0f
                  • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                  • Instruction Fuzzy Hash: 7BC14471900205ABDF25BFBC9D41AAABBA8FF45310F1C41AEE4D9D7291EB318E41CB51
                  Function 008A406A Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                  Download Yara Rule
                  APIs
                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,008A4343,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 008A4116
                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,008A4343,00000000,00000000,?,00000001,?,?,?,?), ref: 008A4199
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,008A4343,?,008A4343,00000000,00000000,?,00000001,?,?,?,?), ref: 008A422C
                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008A4343,00000000,00000000,?,00000001,?,?,?,?), ref: 008A4243
                    • Part of subcall function 0089641F: RtlAllocateHeap.NTDLL(00000000,008855B0,?), ref: 00896451
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008A4343,00000000,00000000,?,00000001,?,?,?,?), ref: 008A42BF
                  • __freea.LIBCMT ref: 008A42EA
                  • __freea.LIBCMT ref: 008A42F6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                  • String ID:
                  • API String ID: 2829977744-0
                  • Opcode ID: 24d135ac0f9138e255d98317baa41a59b13291ee02cbd6844a619640bdede200
                  • Instruction ID: 7f76d3e40dd703af969734eae0fb8d3c5c31bde99b15551c1f67f41a02802edb
                  • Opcode Fuzzy Hash: 24d135ac0f9138e255d98317baa41a59b13291ee02cbd6844a619640bdede200
                  • Instruction Fuzzy Hash: 0291D371E0021A9BFF209FA8CC41AEEBBA5FF9A314F185529E905E7541E7B5DC80C760
                  Function 00864BAC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: udp
                  • API String ID: 0-4243565622
                  • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                  • Instruction ID: 8df27eedf1b9b7713223707d46abd9bb3a8a5e6f69c7111753fa737bdd302286
                  • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                  • Instruction Fuzzy Hash: C6718970A093068FD7258F18C48462EBBE1FF98355F26682EF885C7261EB75CD05CB92
                  Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                  • _free.LIBCMT ref: 00444E87
                  • _free.LIBCMT ref: 00444E9E
                  • _free.LIBCMT ref: 00444EBD
                  • _free.LIBCMT ref: 00444ED8
                  • _free.LIBCMT ref: 00444EEF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$AllocateHeap
                  • String ID: KED
                  • API String ID: 3033488037-2133951994
                  • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                  • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                  • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                  • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                  Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Enum$InfoQueryValue
                  • String ID: [regsplt]$xUG$TG
                  • API String ID: 3554306468-1165877943
                  • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                  • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                  • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                  • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                  Function 0085DAA1 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00862AF2: TerminateProcess.KERNEL32(00000000,?,0085DAB1), ref: 00862B02
                    • Part of subcall function 00862AF2: WaitForSingleObject.KERNEL32(000000FF,?,0085DAB1), ref: 00862B15
                    • Part of subcall function 0086399A: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 008639B6
                    • Part of subcall function 0086399A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 008639CF
                    • Part of subcall function 0086399A: RegCloseKey.ADVAPI32(?), ref: 008639DA
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0085DAFB
                  • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000000), ref: 0085DC5A
                  • ExitProcess.KERNEL32 ref: 0085DC66
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                  • String ID: 8SG$exepath$xdF
                  • API String ID: 1913171305-3578471011
                  • Opcode ID: 42ab35d1de50171d89691c1a4e51747da9b5414ad99897b439254141905a24e9
                  • Instruction ID: d7bdfac11608f63e75a23666a9bcd2520fed682cca61097ce686e71a0beb7404
                  • Opcode Fuzzy Hash: 42ab35d1de50171d89691c1a4e51747da9b5414ad99897b439254141905a24e9
                  • Instruction Fuzzy Hash: 674160319505185ACB19FB68DC92DEF7739FF51702F10016AF906E3192EF602E8ECA96
                  Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                    • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                    • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumInfoOpenQuerysend
                  • String ID: xUG$NG$NG$TG
                  • API String ID: 3114080316-2811732169
                  • Opcode ID: ad67037a7976a7efd854f2634821b5dd733e7892351dc079feb5c625d2e81a3a
                  • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                  • Opcode Fuzzy Hash: ad67037a7976a7efd854f2634821b5dd733e7892351dc079feb5c625d2e81a3a
                  • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                  Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,000000FF,00000001,0043F918,?), ref: 004511F9
                  • __alloca_probe_16.LIBCMT ref: 00451231
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451294
                  • __freea.LIBCMT ref: 0045129D
                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                  • String ID: PkGNG
                  • API String ID: 313313983-263838557
                  • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                  • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                  • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                  • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                  Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                    • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                    • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                  • _wcslen.LIBCMT ref: 0041B7F4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                  • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                  • API String ID: 3286818993-122982132
                  • Opcode ID: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                  • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                  • Opcode Fuzzy Hash: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                  • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                  Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                  • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                  • API String ID: 1133728706-4073444585
                  • Opcode ID: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                  • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                  • Opcode Fuzzy Hash: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                  • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                  Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                  • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                  • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                  • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                  Function 008A6E3A Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                  • Instruction ID: 90f0bea490e048555ba0773438d8bd4f6d8114925c6e959f936e03b38dd35ba3
                  • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                  • Instruction Fuzzy Hash: CA11D276604259BFDF107FBACC04D6B3AACFF86720B284578F815D6951EE31882096A1
                  Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                  • _free.LIBCMT ref: 00450FC8
                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                  • _free.LIBCMT ref: 00450FD3
                  • _free.LIBCMT ref: 00450FDE
                  • _free.LIBCMT ref: 00451032
                  • _free.LIBCMT ref: 0045103D
                  • _free.LIBCMT ref: 00451048
                  • _free.LIBCMT ref: 00451053
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                  • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                  • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                  Function 008A11E1 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008A0F28: _free.LIBCMT ref: 008A0F51
                  • _free.LIBCMT ref: 008A122F
                    • Part of subcall function 00896A69: HeapFree.KERNEL32(00000000,00000000,?,008A0F56,?,00000000,?,00000000,?,008A11FA,?,00000007,?,?,008A1745,?), ref: 00896A7F
                    • Part of subcall function 00896A69: GetLastError.KERNEL32(?,?,008A0F56,?,00000000,?,00000000,?,008A11FA,?,00000007,?,?,008A1745,?,?), ref: 00896A91
                  • _free.LIBCMT ref: 008A123A
                  • _free.LIBCMT ref: 008A1245
                  • _free.LIBCMT ref: 008A1299
                  • _free.LIBCMT ref: 008A12A4
                  • _free.LIBCMT ref: 008A12AF
                  • _free.LIBCMT ref: 008A12BA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                  • Instruction ID: 6df0c718ed9772fa93a46e49e8da0eff49181241497b1f1470d094d3e6dc8674
                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                  • Instruction Fuzzy Hash: F1116D71541B04AAEB70B7B4DC07FCBB7DCFF09700F444C18B299F64D2DA64A5164A52
                  Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                  • int.LIBCPMT ref: 004111BE
                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                  • std::_Facet_Register.LIBCPMT ref: 004111FE
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                  • String ID: (mG
                  • API String ID: 2536120697-4059303827
                  • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                  • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                  • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                  • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                  Function 00861405 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00861412
                  • int.LIBCPMT ref: 00861425
                    • Part of subcall function 0085E363: std::_Lockit::_Lockit.LIBCPMT ref: 0085E374
                    • Part of subcall function 0085E363: std::_Lockit::~_Lockit.LIBCPMT ref: 0085E38E
                  • std::_Facet_Register.LIBCPMT ref: 00861465
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0086146E
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0086148C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                  • String ID: (mG
                  • API String ID: 2536120697-4059303827
                  • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                  • Instruction ID: cc414cff1858999f5951d897918ab5ee18a9816d166ddf7b452e21198c9185fc
                  • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                  • Instruction Fuzzy Hash: 44119432A00514A7CB14FBACD8458DDB769FF40711B154156F904E7292DF319E458BD6
                  Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                  • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                  • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                  • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                  • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                  Function 0088A641 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,0088A638,008895A5), ref: 0088A64F
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0088A65D
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0088A676
                  • SetLastError.KERNEL32(00000000,?,0088A638,008895A5), ref: 0088A6C8
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                  • Instruction ID: 6c1ea3e46d3560a43a4e01ee96b41230aec92c79e7422ab95abd90a54131fdcc
                  • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                  • Instruction Fuzzy Hash: 980128321197525DB62877BCBC996363648FB107B4728023AF218C15F9FF518C815346
                  Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\documents-pdf.exe), ref: 0040760B
                    • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                    • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                  • CoUninitialize.OLE32 ref: 00407664
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: InitializeObjectUninitialize_wcslen
                  • String ID: C:\Users\user\Desktop\documents-pdf.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                  • API String ID: 3851391207-66390300
                  • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                  • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                  • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                  • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                  Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                  • GetLastError.KERNEL32 ref: 0040BB22
                  Strings
                  • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                  • UserProfile, xrefs: 0040BAE8
                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                  • [Chrome Cookies not found], xrefs: 0040BB3C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteErrorFileLast
                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  • API String ID: 2018770650-304995407
                  • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                  • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                  • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                  • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                  Function 0086D755 Relevance: 10.5, APIs: 7, Instructions: 48windowstringCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0086D76E
                    • Part of subcall function 0086D807: RegisterClassExA.USER32(00000030), ref: 0086D853
                    • Part of subcall function 0086D807: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0086D86E
                    • Part of subcall function 0086D807: GetLastError.KERNEL32 ref: 0086D878
                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0086D7A5
                  • lstrcpyn.KERNEL32(00474B60,0046CF44,00000080), ref: 0086D7BF
                  • Shell_NotifyIcon.SHELL32(00000000,00474B48), ref: 0086D7D5
                  • TranslateMessage.USER32(?), ref: 0086D7E1
                  • DispatchMessageA.USER32(?), ref: 0086D7EB
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0086D7F8
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                  • String ID:
                  • API String ID: 1970332568-0
                  • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                  • Instruction ID: 63fe530dcbacc99da9eec09895f6b732c23b330b613a26b29ee1656f18e3b19d
                  • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                  • Instruction Fuzzy Hash: 15013C71900348EBD7109FA5EC4CFAABBBCFB85705F004069F615930A1DBB8E845CB59
                  Function 00857502 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: C:\Users\user\Desktop\documents-pdf.exe$Rmc-AYRCHN$xdF
                  • API String ID: 0-2860730664
                  • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                  • Instruction ID: aba9e5001813efaab64a826e74c869f50484e31f481253f2615915a29aded468
                  • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                  • Instruction Fuzzy Hash: 14F0F6B0604611ABCB102B347E196693A46F742743F40C435FD4ADA2A2EF584C498669
                  Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 004433FA
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                  • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG), ref: 00443430
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: CorExitProcess$PkGNG$mscoree.dll
                  • API String ID: 4061214504-213444651
                  • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                  • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                  • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                  • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                  Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                  Download Yara Rule
                  APIs
                  • __allrem.LIBCMT ref: 0043ACE9
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                  • __allrem.LIBCMT ref: 0043AD1C
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                  • __allrem.LIBCMT ref: 0043AD51
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                  • String ID:
                  • API String ID: 1992179935-0
                  • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                  • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                  • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                  • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                  Function 0088ADC3 Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                  Download Yara Rule
                  APIs
                  • __allrem.LIBCMT ref: 0088AF50
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0088AF6C
                  • __allrem.LIBCMT ref: 0088AF83
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0088AFA1
                  • __allrem.LIBCMT ref: 0088AFB8
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0088AFD6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                  • String ID:
                  • API String ID: 1992179935-0
                  • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                  • Instruction ID: 7256ffc77a747807e8a950131115788367f10c57bd2bfc98f8a537bffdecec20
                  • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                  • Instruction Fuzzy Hash: 0C81B5B2A00B06ABF728BA6DCC82B6A73A8FF41724F14453FF551D66C1EB74D9408752
                  Function 00893B40 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00893BD0
                  • _free.LIBCMT ref: 00893BEA
                  • _free.LIBCMT ref: 00893BF5
                  • _free.LIBCMT ref: 00893CC9
                  • _free.LIBCMT ref: 00893CE5
                    • Part of subcall function 0088BFCF: IsProcessorFeaturePresent.KERNEL32(00000017,0088BFA1,?,?,?,?,?,00000000,?,?,0088BFC1,00000000,00000000,00000000,00000000,00000000), ref: 0088BFD1
                    • Part of subcall function 0088BFCF: GetCurrentProcess.KERNEL32(C0000417), ref: 0088BFF3
                    • Part of subcall function 0088BFCF: TerminateProcess.KERNEL32(00000000), ref: 0088BFFA
                  • _free.LIBCMT ref: 00893CEF
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$Process$CurrentFeaturePresentProcessorTerminate
                  • String ID:
                  • API String ID: 2329545287-0
                  • Opcode ID: 6cafc8de57892fd614af7c3accbdcbc7a01b4784fb7c252a1c394b1424185e80
                  • Instruction ID: d91b804908bee01a80b837ad752822a7fc37d7967d569cfcb2264b830fef6621
                  • Opcode Fuzzy Hash: 6cafc8de57892fd614af7c3accbdcbc7a01b4784fb7c252a1c394b1424185e80
                  • Instruction Fuzzy Hash: 5C519B366046196BDF24BF6CD841ABAB7A8FF40734F2C415EF905EB241EA319F028750
                  Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32(00000000,?), ref: 004044C4
                    • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prologSleep
                  • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                  • API String ID: 3469354165-3054508432
                  • Opcode ID: 8242c6d63c2a95d9810d969610747f429edb049359ef7e6feeeaad418a26c51c
                  • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                  • Opcode Fuzzy Hash: 8242c6d63c2a95d9810d969610747f429edb049359ef7e6feeeaad418a26c51c
                  • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                  Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                  • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                  • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                    • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                  • RtlAllocateHeap.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                    • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                    • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
                  • String ID:
                  • API String ID: 2227336758-0
                  • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                  • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                  • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                  • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                  Function 008545D8 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32(00000000,?), ref: 0085472B
                    • Part of subcall function 0085486E: __EH_prolog.LIBCMT ref: 00854873
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prologSleep
                  • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                  • API String ID: 3469354165-3054508432
                  • Opcode ID: 157d80eb8e0f3678fafe4a2641bb4748a50a416a1c9fb699c11c746a5f7bd186
                  • Instruction ID: 587e0e10757e8aa2569123df636bc9b1df48b668abbf19a69bf1fb4713a354ed
                  • Opcode Fuzzy Hash: 157d80eb8e0f3678fafe4a2641bb4748a50a416a1c9fb699c11c746a5f7bd186
                  • Instruction Fuzzy Hash: 86510435A042149BCB14FB7C8956A6D3B95FB92756F000429FC09D7392EF648E8DC39B
                  Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: __cftoe
                  • String ID:
                  • API String ID: 4189289331-0
                  • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                  • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                  • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                  • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                  Function 00895BE1 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: __cftoe
                  • String ID:
                  • API String ID: 4189289331-0
                  • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                  • Instruction ID: 5791fd7e6c47e5404bba4c033c52e729a090ea1ce9c4adf34bd1d1135cabe68c
                  • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                  • Instruction Fuzzy Hash: FE51F732904B05ABDF22BB6CCC85EAE77A8FF49724F2C4229F415E6191DB31DE018765
                  Function 0085A682 Relevance: 9.1, APIs: 6, Instructions: 112keyboardthreadCOMMON
                  Download Yara Rule
                  APIs
                  • GetForegroundWindow.USER32 ref: 0085A6B8
                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 0085A6C4
                  • GetKeyboardLayout.USER32(00000000), ref: 0085A6CB
                  • GetKeyState.USER32(00000010), ref: 0085A6D5
                  • GetKeyboardState.USER32(?), ref: 0085A6E0
                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0085A79C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                  • String ID:
                  • API String ID: 3566172867-0
                  • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                  • Instruction ID: 2e9abab12ef369c4f4575c734598eb3f48edd783a39899f3178ccea19f6a95fb
                  • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                  • Instruction Fuzzy Hash: 61315D72504308BFD704DF94DC85F9B7BECFB88745F00092AB685C61A0E7B1E9488B96
                  Function 00857C05 Relevance: 9.1, APIs: 6, Instructions: 102fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 00857C67
                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0), ref: 00857CAF
                    • Part of subcall function 00854D08: send.WS2_32(?,00000000,00000000,00000000), ref: 00854D9D
                  • CloseHandle.KERNEL32(00000000), ref: 00857CEF
                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00857D0C
                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008), ref: 00857D37
                  • DeleteFileW.KERNEL32(00000000), ref: 00857D47
                    • Part of subcall function 00854DFD: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00854EB0,00000000,00000000,00000000,?,00474EF8,?), ref: 00854E0C
                    • Part of subcall function 00854DFD: SetEvent.KERNEL32(00000000), ref: 00854E2A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                  • String ID:
                  • API String ID: 1303771098-0
                  • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                  • Instruction ID: 339babfa1058b21b2d9ca2e7055eb1d1159ef5f4d9609619908dad33d8f5e39e
                  • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                  • Instruction Fuzzy Hash: E0319E31508344AFC310EB24D8559AFB3A8FF95342F40492EBD86E2151EF74AE4C8B96
                  Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                  • String ID:
                  • API String ID: 493672254-0
                  • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                  • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                  • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                  • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                  Function 0086AE05 Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 0086AE14
                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 0086AE2B
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0086AE38
                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 0086AE47
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$Open$CloseControlHandleManager
                  • String ID:
                  • API String ID: 1243734080-0
                  • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                  • Instruction ID: 7fbbdb941b1235f40be098e2e7e699b144833097edcdc4afb5f12199dc29b0f9
                  • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                  • Instruction Fuzzy Hash: EF11E53194031CAF9B216FA4DC89DFF3B6CEB46B62B000425F905E2091DB249D45AAB6
                  Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: __alldvrm$_strrchr
                  • String ID: PkGNG
                  • API String ID: 1036877536-263838557
                  • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                  • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                  • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                  • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                  Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                  • _free.LIBCMT ref: 004482CC
                  • _free.LIBCMT ref: 004482F4
                  • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                  • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                  • _abort.LIBCMT ref: 00448313
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free$_abort
                  • String ID:
                  • API String ID: 3160817290-0
                  • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                  • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                  • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                  • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                  Function 008984FC Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,0088F9D7,0088AADC,0088F9D7,00474EF8,PkGNG,0088D0CC,FF8BC35D,00474EF8,00474EF8), ref: 00898500
                  • _free.LIBCMT ref: 00898533
                  • _free.LIBCMT ref: 0089855B
                  • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00898568
                  • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00898574
                  • _abort.LIBCMT ref: 0089857A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free$_abort
                  • String ID:
                  • API String ID: 3160817290-0
                  • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                  • Instruction ID: 5a0f674ce2a1161852c4bd0c652d261da225443b9c3638b693b1d8873eb105f5
                  • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                  • Instruction Fuzzy Hash: D7F0D635100712EACE11333DBC05B5A2559FBC3771F2E4429F808D6191EE64CA058156
                  Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                  • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                  • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                  • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                  Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                  • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                  • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                  • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                  Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                  • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                  • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                  • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                  Function 00863CF7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00863D5E
                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00863D8D
                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00863E2D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Enum$InfoQueryValue
                  • String ID: xUG$TG
                  • API String ID: 3554306468-3109661684
                  • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                  • Instruction ID: 4eee2e2c333a5112995e94cdb39d24d07dc1f038aae221ee82c3952a6fc9f4ed
                  • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                  • Instruction Fuzzy Hash: 4B510C71900219AADB11EBA8DC86EEFB77DFF15301F500066F905E6195EF706B48CBA2
                  Function 00442851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG
                  • API String ID: 0-263838557
                  • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                  • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                  • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                  • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                  Function 00892AB8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG
                  • API String ID: 0-263838557
                  • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                  • Instruction ID: ee6e65c77b4bf0ece6c07daa940b2b3577303dc978a6b8d75cce8ed6617d516e
                  • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                  • Instruction Fuzzy Hash: 4541D471A00304FFDB24BF7CCC41B6A7BE8FB88724F14412AF155DB681D67599018B81
                  Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                  • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404DD2
                  • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                  • String ID: PkGNG
                  • API String ID: 3360349984-263838557
                  • Opcode ID: 0d7e8e5d0409f0745f5a78314cdb8d3ae188519c17736a5bd6be8557a64d207b
                  • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                  • Opcode Fuzzy Hash: 0d7e8e5d0409f0745f5a78314cdb8d3ae188519c17736a5bd6be8557a64d207b
                  • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                  Function 008A1413 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,00000006,?,00000000,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?), ref: 008A1460
                  • MultiByteToWideChar.KERNEL32(?,00000001,00000006,?,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?,?), ref: 008A14E9
                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,00000006,00000001,?,?,?,00000002,?), ref: 008A14FB
                  • __freea.LIBCMT ref: 008A1504
                    • Part of subcall function 0089641F: RtlAllocateHeap.NTDLL(00000000,008855B0,?), ref: 00896451
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                  • String ID: PkGNG
                  • API String ID: 2652629310-263838557
                  • Opcode ID: 29fbf7857a96745c538d0cac7db2b43cff4be5d8612efa81122893b79f6f153c
                  • Instruction ID: 0717ca41803b51b644168dd5ffb5b96d129343af455413a98ff6a82155a8de5d
                  • Opcode Fuzzy Hash: 29fbf7857a96745c538d0cac7db2b43cff4be5d8612efa81122893b79f6f153c
                  • Instruction Fuzzy Hash: E231BD72A0120AAFEF259FA8CC49DAE7BA5FB45710F084168FC05D6591E735CD50CBA4
                  Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                  • wsprintfW.USER32 ref: 0040B22E
                    • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: EventLocalTimewsprintf
                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                  • API String ID: 1497725170-248792730
                  • Opcode ID: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                  • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                  • Opcode Fuzzy Hash: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                  • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                  Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                  • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                  • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSizeSleep
                  • String ID: XQG
                  • API String ID: 1958988193-3606453820
                  • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                  • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                  • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                  • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                  Function 0085A917 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0085A9EF), ref: 0085A94D
                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0085A9EF), ref: 0085A95C
                  • Sleep.KERNEL32(00002710,?,?,?,0085A9EF), ref: 0085A989
                  • CloseHandle.KERNEL32(00000000,?,?,?,0085A9EF), ref: 0085A990
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSizeSleep
                  • String ID: XQG
                  • API String ID: 1958988193-3606453820
                  • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                  • Instruction ID: 37a78168a9f8864ce8230f6ac0f7a3918fb101f16e580ac711d6c5b40f71dc95
                  • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                  • Instruction Fuzzy Hash: A1113D70640B50BEEB35A73898D973E7F9AFB45303F410628FA91C6592C6545C4CC31B
                  Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                  • GetLastError.KERNEL32 ref: 0041D611
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClassCreateErrorLastRegisterWindow
                  • String ID: 0$MsgWindowClass
                  • API String ID: 2877667751-2410386613
                  • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                  • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                  • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                  • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                  Function 0086D807 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegisterClassExA.USER32(00000030), ref: 0086D853
                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0086D86E
                  • GetLastError.KERNEL32 ref: 0086D878
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClassCreateErrorLastRegisterWindow
                  • String ID: 0$MsgWindowClass
                  • API String ID: 2877667751-2410386613
                  • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                  • Instruction ID: cdd4d557d654fd8a9010378ff71b4bbdcd5c54850ddacca9290de9dc0f7167b7
                  • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                  • Instruction Fuzzy Hash: E00125B1E0021DABDB00EFE5DC88DEFBBBCFA05355F00453AF904A6240E77489058BA0
                  Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                  • CloseHandle.KERNEL32(?), ref: 004077E5
                  • CloseHandle.KERNEL32(?), ref: 004077EA
                  Strings
                  • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreateProcess
                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                  • API String ID: 2922976086-4183131282
                  • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                  • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                  • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                  • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                  Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                  Download Yara Rule
                  Strings
                  • Rmc-AYRCHN, xrefs: 00407715
                  • C:\Users\user\Desktop\documents-pdf.exe, xrefs: 004076FF
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: C:\Users\user\Desktop\documents-pdf.exe$Rmc-AYRCHN
                  • API String ID: 0-1661288098
                  • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                  • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                  • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                  • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                  Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                  • SetEvent.KERNEL32(?), ref: 0040512C
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                  • CloseHandle.KERNEL32(?), ref: 00405140
                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                  • String ID: KeepAlive | Disabled
                  • API String ID: 2993684571-305739064
                  • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                  • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                  • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                  • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                  Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                  • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                  • Sleep.KERNEL32(00002710), ref: 0041AE98
                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: PlaySound$HandleLocalModuleSleepTime
                  • String ID: Alarm triggered
                  • API String ID: 614609389-2816303416
                  • Opcode ID: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                  • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                  • Opcode Fuzzy Hash: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                  • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                  Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                  Strings
                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                  • API String ID: 3024135584-2418719853
                  • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                  • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                  • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                  • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                  Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                  • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                  • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                  • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                  Function 00891651 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                  • Instruction ID: a67d4f4938bd68b3e44d0f4d89ba456b379105e2189153f06402df0e46b3cd0e
                  • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                  • Instruction Fuzzy Hash: 79718231D082179BDF21AB94C888ABEBB7AFF55360B1C4239E811F7181DB708D41D7A1
                  Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                  • _free.LIBCMT ref: 0044943D
                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                  • _free.LIBCMT ref: 00449609
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                  • String ID:
                  • API String ID: 1286116820-0
                  • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                  • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                  • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                  • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                  Function 0089964C Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 008996B6
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 0089972E
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 0089975B
                  • _free.LIBCMT ref: 008996A4
                    • Part of subcall function 00896A69: HeapFree.KERNEL32(00000000,00000000,?,008A0F56,?,00000000,?,00000000,?,008A11FA,?,00000007,?,?,008A1745,?), ref: 00896A7F
                    • Part of subcall function 00896A69: GetLastError.KERNEL32(?,?,008A0F56,?,00000000,?,00000000,?,008A11FA,?,00000007,?,?,008A1745,?,?), ref: 00896A91
                  • _free.LIBCMT ref: 00899870
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                  • String ID:
                  • API String ID: 1286116820-0
                  • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                  • Instruction ID: eb6de334e375a1bb1c8b130a69a14b591c4b6ae244698db6a1dd7ed1edf5868d
                  • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                  • Instruction Fuzzy Hash: EF51E671900209EBDF14FFAD9D819AAB7BCFF45320B18426EE494E7291EB708E41CB55
                  Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                  • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                    • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                    • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                  • String ID:
                  • API String ID: 2180151492-0
                  • Opcode ID: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                  • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                  • Opcode Fuzzy Hash: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                  • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                  Function 0085FB9F Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0086C2AF: GetCurrentProcess.KERNEL32(00000003,?,?,0086B5C9,00000000,004750E4,00000003,004673AC,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0086C2C0
                    • Part of subcall function 0086C2AF: IsWow64Process.KERNEL32(00000000,?,?,0086B5C9,00000000,004750E4,00000003,004673AC,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0086C2C7
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0085FBBD
                  • Process32FirstW.KERNEL32(00000000,?), ref: 0085FBE1
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0085FBF0
                  • CloseHandle.KERNEL32(00000000), ref: 0085FDA7
                    • Part of subcall function 0086C2DD: OpenProcess.KERNEL32(00000400,00000000), ref: 0086C2F2
                    • Part of subcall function 0086C2DD: IsWow64Process.KERNEL32(00000000,?), ref: 0086C2FD
                    • Part of subcall function 0086C4D5: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0086C4ED
                    • Part of subcall function 0086C4D5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0086C500
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0085FD98
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                  • String ID:
                  • API String ID: 2180151492-0
                  • Opcode ID: 90e78233c67fe500e7c897fb9588ef7a3a1ac601b612ffb3a5c256a9fbc119f7
                  • Instruction ID: ed2ebefab4aad0cde745150aee210d209df7669eddb84a954593562e3033b846
                  • Opcode Fuzzy Hash: 90e78233c67fe500e7c897fb9588ef7a3a1ac601b612ffb3a5c256a9fbc119f7
                  • Instruction Fuzzy Hash: 5B4100351482449BC325FB28DD52AEFB3A8FFA5341F50452DB989C2196FF30AA0DC657
                  Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                  • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                  • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                  • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                  Function 00894100 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                  • Instruction ID: 5db6399edfeb8aa4195540afb7c60bbd06d8310adea247407ff3ef31925d220a
                  • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                  • Instruction Fuzzy Hash: 6241E236A002049FDF14EFBCC881A5AB7B5FF85714B1945A9E915EB341E730AD42CB80
                  Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                  • _free.LIBCMT ref: 0044F43F
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                  • String ID:
                  • API String ID: 336800556-0
                  • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                  • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                  • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                  • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                  Function 0089F641 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 0089F64A
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0089F66D
                    • Part of subcall function 0089641F: RtlAllocateHeap.NTDLL(00000000,008855B0,?), ref: 00896451
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0089F693
                  • _free.LIBCMT ref: 0089F6A6
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0089F6B5
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                  • String ID:
                  • API String ID: 336800556-0
                  • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                  • Instruction ID: 01cda431e47020c5f8c66ac77b3a21035d6530ff74dfbb80da22aa4d941d226f
                  • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                  • Instruction Fuzzy Hash: 40017172605725BF2B263AAA5C8CC7B6A6DEAD6BA531D0139FE04C2152EE61CC0181B5
                  Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                  • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreatePointerWrite
                  • String ID:
                  • API String ID: 1852769593-0
                  • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                  • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                  • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                  • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                  Function 0086C6E9 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0086C808,00000000,00000000,?), ref: 0086C728
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0086C808,00000000,00000000,?,?,0085AB89), ref: 0086C745
                  • CloseHandle.KERNEL32(00000000,?,00000000,0086C808,00000000,00000000,?,?,0085AB89), ref: 0086C751
                  • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0086C808,00000000,00000000,?,?,0085AB89), ref: 0086C762
                  • CloseHandle.KERNEL32(00000000,?,00000000,0086C808,00000000,00000000,?,?,0085AB89), ref: 0086C76F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreatePointerWrite
                  • String ID:
                  • API String ID: 1852769593-0
                  • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                  • Instruction ID: 22d7471799b2352a00f7ee2df9eff9edefac6205e984d40ddfcb9a4674a126f1
                  • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                  • Instruction Fuzzy Hash: 8B1104B1204219BFE7104E28AC88E7B739CFB5A365F114629F692C21C1D7208C059A74
                  Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                  • _free.LIBCMT ref: 00448353
                  • _free.LIBCMT ref: 0044837A
                  • SetLastError.KERNEL32(00000000), ref: 00448387
                  • SetLastError.KERNEL32(00000000), ref: 00448390
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free
                  • String ID:
                  • API String ID: 3170660625-0
                  • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                  • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                  • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                  • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                  Function 00898580 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,00000000,?,0088BF3D,00000000,?,?,0088BFC1,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00898585
                  • _free.LIBCMT ref: 008985BA
                  • _free.LIBCMT ref: 008985E1
                  • SetLastError.KERNEL32(00000000), ref: 008985EE
                  • SetLastError.KERNEL32(00000000), ref: 008985F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free
                  • String ID:
                  • API String ID: 3170660625-0
                  • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                  • Instruction ID: c41fc96a950bbdc05e138463901b2bfdc115e0c9bd5f21932538027b1c6364c7
                  • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                  • Instruction Fuzzy Hash: AF01D676200703EBCF12776D5C45E1B2299FBC377573E0129F909E2192EE64CE098155
                  Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpen$FileImageName
                  • String ID:
                  • API String ID: 2951400881-0
                  • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                  • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                  • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                  • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                  Function 0086C4D5 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0086C4ED
                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0086C500
                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0086C520
                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0086C52B
                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0086C533
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpen$FileImageName
                  • String ID:
                  • API String ID: 2951400881-0
                  • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                  • Instruction ID: 296738fc1f5f0a193095403edd65b4048ca26b412b1855aab3b4ff1ccc671a23
                  • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                  • Instruction Fuzzy Hash: DB01F971200319ABD71067689C4DF7AB67CFB84796F010165F989D32E2FF60AE414675
                  Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00450A54
                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                  • _free.LIBCMT ref: 00450A66
                  • _free.LIBCMT ref: 00450A78
                  • _free.LIBCMT ref: 00450A8A
                  • _free.LIBCMT ref: 00450A9C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                  • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                  • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                  Function 008A0CA3 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 008A0CBB
                    • Part of subcall function 00896A69: HeapFree.KERNEL32(00000000,00000000,?,008A0F56,?,00000000,?,00000000,?,008A11FA,?,00000007,?,?,008A1745,?), ref: 00896A7F
                    • Part of subcall function 00896A69: GetLastError.KERNEL32(?,?,008A0F56,?,00000000,?,00000000,?,008A11FA,?,00000007,?,?,008A1745,?,?), ref: 00896A91
                  • _free.LIBCMT ref: 008A0CCD
                  • _free.LIBCMT ref: 008A0CDF
                  • _free.LIBCMT ref: 008A0CF1
                  • _free.LIBCMT ref: 008A0D03
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                  • Instruction ID: 48786e63ddefe5e8a5c5a81428596d479fe2d691831d473a5a5ad3f76b53560c
                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                  • Instruction Fuzzy Hash: 9EF01232514211AF9B20EB9DF9C6C1A73D9FB05B207A88919F54DEB910DB34FDC08A55
                  Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00444106
                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                  • _free.LIBCMT ref: 00444118
                  • _free.LIBCMT ref: 0044412B
                  • _free.LIBCMT ref: 0044413C
                  • _free.LIBCMT ref: 0044414D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                  • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                  • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                  • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                  Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG
                  • API String ID: 0-263838557
                  • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                  • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                  • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                  • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                  Function 0089BD1E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG
                  • API String ID: 0-263838557
                  • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                  • Instruction ID: 28bf68c649ca833b452a3fe02b377157e8a24b54b6474ec4997b8e4d1ddf20d2
                  • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                  • Instruction Fuzzy Hash: 21519E71E002099ACF11BFA8DE45EEE7BB8FF05314F180459F911E7291DB709901CBA2
                  Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                  Download Yara Rule
                  APIs
                  • _strpbrk.LIBCMT ref: 0044E7B8
                  • _free.LIBCMT ref: 0044E8D5
                    • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,?,?,?,?,?,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                    • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD8C
                    • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000), ref: 0043BD93
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                  • String ID: *?$.
                  • API String ID: 2812119850-3972193922
                  • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                  • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                  • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                  • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                  Function 0089E9D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                  Download Yara Rule
                  APIs
                  • _strpbrk.LIBCMT ref: 0089EA1F
                  • _free.LIBCMT ref: 0089EB3C
                    • Part of subcall function 0088BFCF: IsProcessorFeaturePresent.KERNEL32(00000017,0088BFA1,?,?,?,?,?,00000000,?,?,0088BFC1,00000000,00000000,00000000,00000000,00000000), ref: 0088BFD1
                    • Part of subcall function 0088BFCF: GetCurrentProcess.KERNEL32(C0000417), ref: 0088BFF3
                    • Part of subcall function 0088BFCF: TerminateProcess.KERNEL32(00000000), ref: 0088BFFA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                  • String ID: *?$.
                  • API String ID: 2812119850-3972193922
                  • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                  • Instruction ID: e81dccf0af68080ce66106cee2e42ef2133b56309a6933097d147a85ba4672d0
                  • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                  • Instruction Fuzzy Hash: 5051A271E0021AEFDF14EFA8C881AADBBF5FF58314F288169E855E7351E6359E018B50
                  Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountEventTick
                  • String ID: !D@$NG
                  • API String ID: 180926312-2721294649
                  • Opcode ID: cfbf5709856e2c9a7e773eb826f0501420a75fef6b030044073f11bcf6146ff0
                  • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                  • Opcode Fuzzy Hash: cfbf5709856e2c9a7e773eb826f0501420a75fef6b030044073f11bcf6146ff0
                  • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                  Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                  Download Yara Rule
                  APIs
                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                    • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                    • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateFileKeyboardLayoutNameconnectsend
                  • String ID: XQG$NG$PG
                  • API String ID: 1634807452-3565412412
                  • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                  • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                  • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                  • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                  Function 0085A145 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                  Download Yara Rule
                  APIs
                  • GetKeyboardLayoutNameA.USER32(?), ref: 0085A175
                    • Part of subcall function 00854B2F: connect.WS2_32(FFFFFFFF,00000000,00000000), ref: 00854B47
                    • Part of subcall function 0086C80D: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,0085A1FD,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0086C822
                    • Part of subcall function 00854D08: send.WS2_32(?,00000000,00000000,00000000), ref: 00854D9D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateFileKeyboardLayoutNameconnectsend
                  • String ID: XQG$NG$PG
                  • API String ID: 1634807452-3565412412
                  • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                  • Instruction ID: fb673f89819c50e1477a6af2c853473f4264490459e7265396f83c1d22145b97
                  • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                  • Instruction Fuzzy Hash: F25142355482809BC329FB38E851AEFB3D5FFA5341F50492DB88AC7196EE305A4DC653
                  Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\documents-pdf.exe,00000104), ref: 00443515
                  • _free.LIBCMT ref: 004435E0
                  • _free.LIBCMT ref: 004435EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$FileModuleName
                  • String ID: C:\Users\user\Desktop\documents-pdf.exe
                  • API String ID: 2506810119-2950983808
                  • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                  • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                  • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                  • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                  Function 0089373C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\documents-pdf.exe,00000104), ref: 0089377C
                  • _free.LIBCMT ref: 00893847
                  • _free.LIBCMT ref: 00893851
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$FileModuleName
                  • String ID: C:\Users\user\Desktop\documents-pdf.exe
                  • API String ID: 2506810119-2950983808
                  • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                  • Instruction ID: dc794cc3a16e047618be2b68e9bab362d5d289efac4e054e137fd241c8deb436
                  • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                  • Instruction Fuzzy Hash: A93181B1A00258BFDF21EB999D8599EBBECFB85710F184076F409E7211D6B08B80CB91
                  Function 00867737 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104sleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,00466118,0046C7C0,00000000,00000000,00000000), ref: 00867797
                    • Part of subcall function 0086C77D: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00854396,00465E84), ref: 0086C796
                  • Sleep.KERNEL32(00000064), ref: 008677C3
                  • DeleteFileW.KERNEL32(00000000), ref: 008677F7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CreateDeleteExecuteShellSleep
                  • String ID: /t
                  • API String ID: 1462127192-3161277685
                  • Opcode ID: f730c0b347a8ee613e59fb056768ff0538d175567b71a323561873fa5d1aa4eb
                  • Instruction ID: fbc84b1d6eebe9336fd03e958e32ab5b0cbcceb954e279879d65ebcbeb5c303c
                  • Opcode Fuzzy Hash: f730c0b347a8ee613e59fb056768ff0538d175567b71a323561873fa5d1aa4eb
                  • Instruction Fuzzy Hash: 473143319506199ADB04FBA8DC92DEE7734FF11306F400165F906E3192EF246E8ECB96
                  Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                  • GetLastError.KERNEL32 ref: 0044B9B1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharErrorFileLastMultiWideWrite
                  • String ID: PkGNG
                  • API String ID: 2456169464-263838557
                  • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                  • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                  • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                  • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                  Function 0089BB06 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON
                  Download Yara Rule
                  APIs
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0089BE65,?,00000000,FF8BC35D), ref: 0089BBB9
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0089BBE7
                  • GetLastError.KERNEL32 ref: 0089BC18
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharErrorFileLastMultiWideWrite
                  • String ID: PkGNG
                  • API String ID: 2456169464-263838557
                  • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                  • Instruction ID: 7c2214f5c50dabda7f8e45113cac2b19e22b21bd4aeeab63c58c23529daf77a2
                  • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                  • Instruction Fuzzy Hash: FB313D75A00219AFDF14DF69DD819EAB7B8FB18315F1444BEE90AD7290DB30AD80CB64
                  Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                  • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                  • String ID: /sort "Visit Time" /stext "$0NG
                  • API String ID: 368326130-3219657780
                  • Opcode ID: f6a4c9ea61f3b38673fa7791a43e1fcc246f1686357cc57385a7603d1058b738
                  • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                  • Opcode Fuzzy Hash: f6a4c9ea61f3b38673fa7791a43e1fcc246f1686357cc57385a7603d1058b738
                  • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                  Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 00416330
                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                    • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                    • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _wcslen$CloseCreateValue
                  • String ID: !D@$okmode$PG
                  • API String ID: 3411444782-3370592832
                  • Opcode ID: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                  • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                  • Opcode Fuzzy Hash: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                  • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                  Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                  Strings
                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                  • User Data\Default\Network\Cookies, xrefs: 0040C63E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                  • API String ID: 1174141254-1980882731
                  • Opcode ID: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                  • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                  • Opcode Fuzzy Hash: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                  • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                  Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                  Strings
                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                  • User Data\Default\Network\Cookies, xrefs: 0040C70D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                  • API String ID: 1174141254-1980882731
                  • Opcode ID: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                  • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                  • Opcode Fuzzy Hash: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                  • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                  Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNEL32(00000000,00000000,0040A2B8,004750F0,00000000,00000000), ref: 0040A239
                  • CreateThread.KERNEL32(00000000,00000000,0040A2A2,004750F0,00000000,00000000), ref: 0040A249
                  • CreateThread.KERNEL32(00000000,00000000,0040A2C4,004750F0,00000000,00000000), ref: 0040A255
                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateThread$LocalTimewsprintf
                  • String ID: Offline Keylogger Started
                  • API String ID: 465354869-4114347211
                  • Opcode ID: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                  • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                  • Opcode Fuzzy Hash: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                  • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                  Function 0085B406 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0085B414
                  • wsprintfW.USER32 ref: 0085B495
                    • Part of subcall function 0085A8D8: SetEvent.KERNEL32(00000000,?,00000000,0085B4AC,00000000), ref: 0085A904
                  Strings
                  • [%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0085B41D
                  • Offline Keylogger Started, xrefs: 0085B40D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: EventLocalTimewsprintf
                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started
                  • API String ID: 1497725170-184404310
                  • Opcode ID: da05e807d6314d5b6d90eba55f19dcd7dbfb82d31573963669363ff37f469dbe
                  • Instruction ID: ebb3b14fbd51778f2c218c4bd5831e740f5fee1999645f8c9c80c65bf0e0cf78
                  • Opcode Fuzzy Hash: da05e807d6314d5b6d90eba55f19dcd7dbfb82d31573963669363ff37f469dbe
                  • Instruction Fuzzy Hash: 9A112772504518A6CB18FB58DC51CFF77B8FE59352B00011AF902D6191EF786A89C7AA
                  Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                  • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                  • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                  • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateThread$LocalTime$wsprintf
                  • String ID: Online Keylogger Started
                  • API String ID: 112202259-1258561607
                  • Opcode ID: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                  • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                  • Opcode Fuzzy Hash: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                  • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                  Function 0085508D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(00000000), ref: 008550AA
                  • CloseHandle.KERNEL32(00000000), ref: 008550B3
                  • closesocket.WS2_32(FFFFFFFF), ref: 008550C1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandleclosesocket
                  • String ID: PkGNG
                  • API String ID: 803913606-263838557
                  • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                  • Instruction ID: fb7ed794a5994bcb57cd8ed8870f7f2bca1b2c45ff04bf79996c1ef0ef3615c6
                  • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                  • Instruction Fuzzy Hash: 82211531054F00EFDB316B25DC59B26BBA2FF40326F204A2CE5A641AF1CB62E855DB59
                  Function 0041B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime
                  • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                  • API String ID: 481472006-3277280411
                  • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                  • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                  • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                  • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                  Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 00404F81
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                  • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                  Strings
                  • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$EventLocalThreadTime
                  • String ID: KeepAlive | Enabled | Timeout:
                  • API String ID: 2532271599-1507639952
                  • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                  • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                  • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                  • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                  Function 008551B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 008551E8
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00855234
                  • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00855247
                  Strings
                  • KeepAlive | Enabled | Timeout: , xrefs: 008551FB
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$EventLocalThreadTime
                  • String ID: KeepAlive | Enabled | Timeout:
                  • API String ID: 2532271599-1507639952
                  • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                  • Instruction ID: bbe991a1a933680334b05a1aed2649cce5c17d7ef313ef74e84f5d0a776bebb4
                  • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                  • Instruction Fuzzy Hash: 1F110631804784ABCB20B77A9C0DBABBFA8EBD3711F04005EFC4296151DA749449CBA2
                  Function 0085779F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 008577C3
                  • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 00857824
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object_wcslen
                  • String ID: $${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • API String ID: 240030777-2784132835
                  • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                  • Instruction ID: 247d8d2bcd0d6ecce7e4f825ee98cb595829e71b3cd57fe3b5db2b821fc23289
                  • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                  • Instruction Fuzzy Hash: B5118A71904218ABD710F6989C45EDEB7BCEB54721F154066FD04E2241E7789A48C7AB
                  Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                  • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: CryptUnprotectData$crypt32
                  • API String ID: 2574300362-2380590389
                  • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                  • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                  • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                  • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                  Function 0044C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C382,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C30C
                  • GetLastError.KERNEL32 ref: 0044C316
                  • __dosmaperr.LIBCMT ref: 0044C31D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastPointer__dosmaperr
                  • String ID: PkGNG
                  • API String ID: 2336955059-263838557
                  • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                  • Instruction ID: 8193a85edd99f1e073baf55791db2896ff72ac9ff19ac05387a69161c0de0417
                  • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                  • Instruction Fuzzy Hash: FB019032A11108BBDB01DFDDDC4586E7B19EB81320B28034EFD2097280EAB4DD119794
                  Function 0089C53A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0089C5E9,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0089C573
                  • GetLastError.KERNEL32 ref: 0089C57D
                  • __dosmaperr.LIBCMT ref: 0089C584
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastPointer__dosmaperr
                  • String ID: PkGNG
                  • API String ID: 2336955059-263838557
                  • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                  • Instruction ID: 52679ceb936076e231b54ad5dbc380929644792a812de051a7c924ed4d007197
                  • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                  • Instruction Fuzzy Hash: 74012D32610614AFCF05BF99DC0585D3B2AFB85320B290259F825D7191EA72ED508B91
                  Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                  • CloseHandle.KERNEL32(?), ref: 004051CA
                  • SetEvent.KERNEL32(?), ref: 004051D9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandleObjectSingleWait
                  • String ID: Connection Timeout
                  • API String ID: 2055531096-499159329
                  • Opcode ID: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                  • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                  • Opcode Fuzzy Hash: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                  • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                  Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Exception@8Throw
                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                  • API String ID: 2005118841-1866435925
                  • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                  • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                  • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                  • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                  Function 0041CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                  Download Yara Rule
                  APIs
                  • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB9A
                  • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FormatFreeLocalMessage
                  • String ID: @J@$PkGNG
                  • API String ID: 1427518018-1416487119
                  • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                  • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                  • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                  • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                  Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                  • String ID: bad locale name
                  • API String ID: 3628047217-1405518554
                  • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                  • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                  • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                  • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                  Function 00863AB6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 00863AC1
                  • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0085FAC5,pth_unenc,004752D8), ref: 00863AEF
                  • RegCloseKey.ADVAPI32(004752D8,?,0085FAC5,pth_unenc,004752D8), ref: 00863AFA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID: pth_unenc
                  • API String ID: 1818849710-4028850238
                  • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                  • Instruction ID: 8bb877d82b6fe2fc199db36f38c9005b57a200002df2142cc602a162ffe1640f
                  • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                  • Instruction Fuzzy Hash: E2F04971580218BBDF009BA4EC46EEF376CFB45B62F104924F905E6161EB31AF08DA90
                  Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                  • RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                  • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID: Control Panel\Desktop
                  • API String ID: 1818849710-27424756
                  • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                  • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                  • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                  • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                  Function 00893641 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,0045D3BC,00000000,?,?,PkGNG,008935F2,00000003,PkGNG,00893592,00000003,0046E958,0000000C,008936E9,00000003,00000002), ref: 00893661
                  • GetProcAddress.KERNEL32(00000000,0045D3D4), ref: 00893674
                  • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,008935F2,00000003,PkGNG,00893592,00000003,0046E958,0000000C,008936E9,00000003,00000002,00000000,PkGNG), ref: 00893697
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: PkGNG
                  • API String ID: 4061214504-263838557
                  • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                  • Instruction ID: 21f5fe3f8636ab64760108a90cee19bb2d24afa0baa85a674a1ad1cf686fd74e
                  • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                  • Instruction Fuzzy Hash: 2AF03131900308FBDF11AFA5DC09B9DBBB4FF04712F0541A9F805E2261EB749E40DA99
                  Function 00863A11 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 00863A20
                  • RegSetValueExA.ADVAPI32(0046612C,0046CBC8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0086CDA9,0046CBC8,0046612C,00000001,00474EE0,00000000), ref: 00863A48
                  • RegCloseKey.ADVAPI32(0046612C,?,?,0086CDA9,0046CBC8,0046612C,00000001,00474EE0,00000000,?,008589FF,00000001), ref: 00863A53
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID: Control Panel\Desktop
                  • API String ID: 1818849710-27424756
                  • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                  • Instruction ID: 40e982510ab8bb1405f4d1c3088890afeb98a924962785c047be57880c77c021
                  • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                  • Instruction Fuzzy Hash: 3BF06D32440218FBCF00AFA4ED45EEA776CEF15B52F104664BD0AA6062EA319F14EA90
                  Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                  • ShowWindow.USER32(00000009), ref: 00416C9C
                  • SetForegroundWindow.USER32 ref: 00416CA8
                    • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                    • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                    • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                    • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                  • String ID: !D@
                  • API String ID: 186401046-604454484
                  • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                  • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                  • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                  • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                  Function 00866ECF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNEL32(00000000,00000000,0041D4EE,00000000,00000000,00000000), ref: 00866EE9
                  • ShowWindow.USER32(00000009), ref: 00866F03
                  • SetForegroundWindow.USER32 ref: 00866F0F
                    • Part of subcall function 0086D093: AllocConsole.KERNEL32 ref: 0086D09C
                    • Part of subcall function 0086D093: GetConsoleWindow.KERNEL32 ref: 0086D0A2
                    • Part of subcall function 0086D093: ShowWindow.USER32(00000000,00000000), ref: 0086D0B5
                    • Part of subcall function 0086D093: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0086D0DA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                  • String ID: !D@
                  • API String ID: 186401046-604454484
                  • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                  • Instruction ID: 5cc2e9b7f465036263d65c143fcde4e854981d51b9625afac12f496bc98645b7
                  • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                  • Instruction Fuzzy Hash: ACF08270148640EFD320AB64EE46ABA7758FB64302F514836FD09C61A2EF315C59969A
                  Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell
                  • String ID: /C $cmd.exe$open
                  • API String ID: 587946157-3896048727
                  • Opcode ID: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                  • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                  • Opcode Fuzzy Hash: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                  • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                  Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                  • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: GetCursorInfo$User32.dll
                  • API String ID: 1646373207-2714051624
                  • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                  • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                  • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                  • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                  Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                  • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: GetLastInputInfo$User32.dll
                  • API String ID: 2574300362-1519888992
                  • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                  • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                  • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                  • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                  Function 0089A2EB Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: __alldvrm$_strrchr
                  • String ID:
                  • API String ID: 1036877536-0
                  • Opcode ID: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                  • Instruction ID: 8cb36dead175671ffa0af2b292ae47ae1996494096d8bbf22fb8413cc1c6ad7e
                  • Opcode Fuzzy Hash: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                  • Instruction Fuzzy Hash: ABA14572A043869FEF29AF58C8817AEBBE4FF51310F1D416DE585DB281C6748D41C792
                  Function 0086C987 Relevance: 6.2, APIs: 4, Instructions: 214registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000002,0046CAF0,00000000,00020019,?), ref: 0086C9A9
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0086C9ED
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: EnumOpen
                  • String ID:
                  • API String ID: 3231578192-0
                  • Opcode ID: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                  • Instruction ID: 12b056251cfcfa59d53930ed36b84558329405f7a2cbc0743a60430ef01d8853
                  • Opcode Fuzzy Hash: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                  • Instruction Fuzzy Hash: 4C811D311183459BD325EB24D852EEFB7E8FF95305F10492EB98AC2191EF70AA4DCA53
                  Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                  • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                  • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                  • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                  Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                  • Cleared browsers logins and cookies., xrefs: 0040C130
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep
                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                  • API String ID: 3472027048-1236744412
                  • Opcode ID: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                  • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                  • Opcode Fuzzy Hash: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                  • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                  Function 0086297D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0086399A: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 008639B6
                    • Part of subcall function 0086399A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 008639CF
                    • Part of subcall function 0086399A: RegCloseKey.ADVAPI32(?), ref: 008639DA
                  • Sleep.KERNEL32(00000BB8), ref: 00862A1C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQuerySleepValue
                  • String ID: 8SG$exepath$xdF
                  • API String ID: 4119054056-3578471011
                  • Opcode ID: 977866b65a9b04f8ae2c6d7eb0dc57cf2c81b09f37f839369ebea4010998f4e6
                  • Instruction ID: 6d825fb17c1e41b32eaf55619ac4bdf8736c09d9ace13f81afa95f9656b04dad
                  • Opcode Fuzzy Hash: 977866b65a9b04f8ae2c6d7eb0dc57cf2c81b09f37f839369ebea4010998f4e6
                  • Instruction Fuzzy Hash: 72213A91B0071427DA14B67C2C06A7F728DFB92342F404979BD05DB2C3EEA89D0D826B
                  Function 00855706 Relevance: 6.1, APIs: 4, Instructions: 77windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(?,?), ref: 00855726
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 008557D6
                  • TranslateMessage.USER32(?), ref: 008557E5
                  • DispatchMessageA.USER32(?), ref: 008557F0
                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 008558A8
                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 008558E0
                    • Part of subcall function 00854D08: send.WS2_32(?,00000000,00000000,00000000), ref: 00854D9D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                  • String ID:
                  • API String ID: 2956720200-0
                  • Opcode ID: 2cd85522589ee397d0502ceedecbb57e3328b3dadc5e25a82386769950989675
                  • Instruction ID: 43bc62d87d3687c9f4a52cf7152d606e4783f6c573a59c9ab09301cd1a78cdb8
                  • Opcode Fuzzy Hash: 2cd85522589ee397d0502ceedecbb57e3328b3dadc5e25a82386769950989675
                  • Instruction Fuzzy Hash: 12215E715046059BCB10EBB8CD5A8AE7BA8FF86752F400928FD16C3196EF24D909CA53
                  Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                    • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                    • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                  • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                  • Sleep.KERNEL32(00000064), ref: 0040A638
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$SleepText$ForegroundLength
                  • String ID: [ $ ]
                  • API String ID: 3309952895-93608704
                  • Opcode ID: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                  • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                  • Opcode Fuzzy Hash: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                  • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                  Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: SystemTimes$Sleep__aulldiv
                  • String ID:
                  • API String ID: 188215759-0
                  • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                  • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                  • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                  • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                  Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                  • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                  • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                  • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                  Function 0086BAF7 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: SystemTimes$Sleep__aulldiv
                  • String ID:
                  • API String ID: 188215759-0
                  • Opcode ID: cf9949316d284336a99c3e29d524757d388739d188393f984dc2d6745cc506f6
                  • Instruction ID: a721fabd2eb05079fef0ce1d2708712b4346ca708d7304f9f45fc45271c4b938
                  • Opcode Fuzzy Hash: cf9949316d284336a99c3e29d524757d388739d188393f984dc2d6745cc506f6
                  • Instruction Fuzzy Hash: 161160729043546FC304FAB8CC85DAB7BACEAC5264F054A39B546C2041FE24D6488762
                  Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                  • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                  • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                  • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                  Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                  • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID:
                  • API String ID: 3177248105-0
                  • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                  • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                  • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                  • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                  Function 0089884D Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,008987F4,?,00000000,00000000,00000000,?,00898B20,00000006,0045A3E4), ref: 0089887F
                  • GetLastError.KERNEL32(?,008987F4,?,00000000,00000000,00000000,?,00898B20,00000006,0045A3E4,0045F170,0045F178,00000000,00000364,?,008985CE), ref: 0089888B
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008987F4,?,00000000,00000000,00000000,?,00898B20,00000006,0045A3E4,0045F170,0045F178,00000000), ref: 00898899
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID:
                  • API String ID: 3177248105-0
                  • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                  • Instruction ID: aec3fafeafdb0d5404ce5fca65892eb663f656ad65058a090907b7b59d06dcd8
                  • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                  • Instruction Fuzzy Hash: 9B01D432606227EBDF219A69AC44A567758FF46BA1B680934FD09E3181DF20DC00C6F4
                  Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                  • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleReadSize
                  • String ID:
                  • API String ID: 3919263394-0
                  • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                  • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                  • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                  • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                  Function 0086C77D Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00854396,00465E84), ref: 0086C796
                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00854396,00465E84), ref: 0086C7AA
                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00854396,00465E84), ref: 0086C7CF
                  • CloseHandle.KERNEL32(00000000,?,00000000,00854396,00465E84), ref: 0086C7DD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleReadSize
                  • String ID:
                  • API String ID: 3919263394-0
                  • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                  • Instruction ID: 0ae33259a5f8b3ee331ec08828a0e0fc163a67aef9b9e97bd5efbede0ca2f32f
                  • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                  • Instruction Fuzzy Hash: 17F062B5241218BFE6102B28AC89EBB379CEB8A7A6F110629FD42D21C1DA258D055535
                  Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                    • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                  • _UnwindNestedFrames.LIBCMT ref: 00439911
                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                  • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                  • String ID:
                  • API String ID: 2633735394-0
                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                  • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                  • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                  Function 0086D093 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                  Download Yara Rule
                  APIs
                  • AllocConsole.KERNEL32 ref: 0086D09C
                  • GetConsoleWindow.KERNEL32 ref: 0086D0A2
                  • ShowWindow.USER32(00000000,00000000), ref: 0086D0B5
                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0086D0DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Console$Window$AllocOutputShow
                  • String ID:
                  • API String ID: 4067487056-0
                  • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                  • Instruction ID: 7da7ae0c41044c7d698c580083b3d2e6c05d57dcfc9b48f4fac786fe3ad97a10
                  • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                  • Instruction Fuzzy Hash: A5012171A843047ADA10F7F49D8BF9D77ACEB54B01F540426BA04E70C2E7699904866B
                  Function 00889B4A Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00889B61
                    • Part of subcall function 0088A199: ___BuildCatchObjectHelper.LIBVCRUNTIME ref: 0088A1C8
                    • Part of subcall function 0088A199: ___AdjustPointer.LIBCMT ref: 0088A1E3
                  • _UnwindNestedFrames.LIBCMT ref: 00889B78
                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00889B8A
                  • CallCatchBlock.LIBVCRUNTIME ref: 00889BAE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                  • String ID:
                  • API String ID: 2901542994-0
                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                  • Instruction ID: f95ac81de4c133ea3b5f6009e3efe6fe26c33a891e1a295c1fe8b1175ab78880
                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                  • Instruction Fuzzy Hash: 0B014C32000109BBCF12AF59DC05EEA3BBAFF48714F094115F958A5120D372E861DBA1
                  Function 0086AD9E Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020), ref: 0086ADAD
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020), ref: 0086ADC1
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0086ADCE
                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 0086ADDD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$Open$CloseControlHandleManager
                  • String ID:
                  • API String ID: 1243734080-0
                  • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                  • Instruction ID: 9be5e83f4e293a2ac779c194b3ad8f1a1502239fdd5ef17098b4b7c54cfbdaf6
                  • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                  • Instruction Fuzzy Hash: F1F0C231540318ABD6116F249C49DBF3B6CEB85A52F000025FD05D2182DE24DD499AE5
                  Function 0086AEA2 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 0086AEB1
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0086AEC5
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0086AED2
                  • ControlService.ADVAPI32(00000000,00000002,?), ref: 0086AEE1
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$Open$CloseControlHandleManager
                  • String ID:
                  • API String ID: 1243734080-0
                  • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                  • Instruction ID: 80e271c68935bf244adbc396ea42a059ce1a124dc9a25094931cde5f30533794
                  • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                  • Instruction Fuzzy Hash: E8F0C231540218ABD7116B249C49DBF3B6CEB45A52F400425FE09E2182DE28DD4A99A5
                  Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                  • GetSystemMetrics.USER32(0000004D), ref: 00419431
                  • GetSystemMetrics.USER32(0000004E), ref: 00419437
                  • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem
                  • String ID:
                  • API String ID: 4116985748-0
                  • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                  • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                  • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                  • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                  Function 0086AD42 Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0086A998,00000000), ref: 0086AD4B
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0086A998,00000000), ref: 0086AD60
                  • CloseServiceHandle.ADVAPI32(00000000,?,0086A998,00000000), ref: 0086AD6D
                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0086A998,00000000), ref: 0086AD78
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$Open$CloseHandleManagerStart
                  • String ID:
                  • API String ID: 2553746010-0
                  • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                  • Instruction ID: 8cd9f42321b1e22e23bf96937e4a10221e4ba829c4e102f326f5a1203fe461f6
                  • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                  • Instruction Fuzzy Hash: C3F0E271141728AFD2116B349C88DBF3B6CEF85BA3B000829F901D20919F68CD49A9B6
                  Function 0085534B Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00855387
                  • SetEvent.KERNEL32(?), ref: 00855393
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0085539E
                  • CloseHandle.KERNEL32(?), ref: 008553A7
                    • Part of subcall function 0086B7E7: GetLocalTime.KERNEL32(00000000), ref: 0086B801
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                  • String ID:
                  • API String ID: 2993684571-0
                  • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                  • Instruction ID: 11d97b5ae2e826c4ad9f5a3bce060592644cacfa898e10782570e4d074cdd0a3
                  • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                  • Instruction Fuzzy Hash: 95F09071804710BFDB113B78CD0BAAA7FA4FB07352F000969FC82C16A2DA658C449B96
                  Function 0086D050 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • GetStdHandle.KERNEL32(000000F5), ref: 0086D05A
                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 0086D067
                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0086D074
                  • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0086D087
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                  • String ID:
                  • API String ID: 3024135584-0
                  • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                  • Instruction ID: 78ae7cd943002b7fbe909cd07c4eebd8c49d1443cf730d10fb71ff7dd53bd5d3
                  • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                  • Instruction Fuzzy Hash: 78E04872504315E7E31027B5EC4DCAB7B7CE785623B100265FA16815939A649C40C6B5
                  Function 0086B7A0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceA.KERNEL32(0046CA24,0000000A,00000000), ref: 0086B7B1
                  • LoadResource.KERNEL32(00000000,?,?,0085F680,00000000), ref: 0086B7C5
                  • LockResource.KERNEL32(00000000,?,?,0085F680,00000000), ref: 0086B7CC
                  • SizeofResource.KERNEL32(00000000,?,?,0085F680,00000000), ref: 0086B7DB
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Resource$FindLoadLockSizeof
                  • String ID:
                  • API String ID: 3473537107-0
                  • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                  • Instruction ID: 38fc03f2fbe15244d10c4ab148c6735f99bd8f7124dd3c1c37864d2dca45dabc
                  • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                  • Instruction Fuzzy Hash: 7BE01A36200B22EBEB211BA1AC8CD463E29FBC97637150075F905C6231CB758840DA58
                  Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                    • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                  • String ID:
                  • API String ID: 1761009282-0
                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                  • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                  • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                  Function 00889218 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00889218
                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0088921D
                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00889222
                    • Part of subcall function 0088A721: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0088A732
                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00889237
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                  • String ID:
                  • API String ID: 1761009282-0
                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                  • Instruction ID: a7686b51d89e2aac8a617a2345e97dab5411d03745705fe0aa4ffc8da04d35f8
                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                  • Instruction Fuzzy Hash: 4DC00218008106653C187AF872161B96350FC633C8BA82082E9E6D75879A1A044AB723
                  Function 0088B9F7 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: __aulldvrm
                  • String ID: +$-
                  • API String ID: 1302938615-2137968064
                  • Opcode ID: 4fbe68187eeb69d2e08e741ed5b0e3133476de9ed197204672df6993eaba3c16
                  • Instruction ID: d8bbb4538f849a7018d9e4946d129e1f00330d30518df0288c797d3ce996ea7d
                  • Opcode Fuzzy Hash: 4fbe68187eeb69d2e08e741ed5b0e3133476de9ed197204672df6993eaba3c16
                  • Instruction Fuzzy Hash: 2A91D030D0525DAFDF24EE69C8416EDBBB1FFC5334F28825AE861E7295D73099028B61
                  Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                  Download Yara Rule
                  APIs
                  • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorHandling__start
                  • String ID: pow
                  • API String ID: 3213639722-2276729525
                  • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                  • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                  • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                  • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                  Function 00865E28 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                  Download Yara Rule
                  APIs
                  • GetTickCount.KERNEL32 ref: 00865E28
                    • Part of subcall function 0086BDDE: GetLastInputInfo.USER32(?), ref: 0086BDEE
                    • Part of subcall function 0086BDDE: GetTickCount.KERNEL32 ref: 0086BDF4
                    • Part of subcall function 0086BD8E: GetForegroundWindow.USER32 ref: 0086BDB0
                    • Part of subcall function 0086BD8E: GetWindowTextW.USER32(00000000,?,00000100), ref: 0086BDC3
                    • Part of subcall function 00854D08: send.WS2_32(?,00000000,00000000,00000000), ref: 00854D9D
                    • Part of subcall function 0085525B: GetLocalTime.KERNEL32(?), ref: 00855297
                    • Part of subcall function 0085525B: GetLocalTime.KERNEL32(?), ref: 008552EE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountLocalTickTimeWindow$ForegroundInfoInputLastTextsend
                  • String ID: !D@$,aF
                  • API String ID: 1906814977-3317875915
                  • Opcode ID: f38012fe4c721671fe47719ef448c68fe10eba452924d15940a605a5699b39a7
                  • Instruction ID: c0b6382bfbdadea84dc7df49a7c24a857cd7ea71849b2200adc3bd8772f2da4f
                  • Opcode Fuzzy Hash: f38012fe4c721671fe47719ef448c68fe10eba452924d15940a605a5699b39a7
                  • Instruction Fuzzy Hash: 6C414F312486409BC324F738E862AEFB3A5FFA1341F50482DB946D7196EF305A4DC657
                  Function 00449EBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F8F
                  • GetLastError.KERNEL32 ref: 00449FAB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharErrorLastMultiWide
                  • String ID: PkGNG
                  • API String ID: 203985260-263838557
                  • Opcode ID: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                  • Instruction ID: e4919e29a80df6b7ced925805d10dfcffaa1b378e184719e11b938f1b8f94c7b
                  • Opcode Fuzzy Hash: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                  • Instruction Fuzzy Hash: 2331E430200201ABFB21EF56C845BAB7768EF45721F15016BF815C7391DB38CD45E7A9
                  Function 008542B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 008542CD
                    • Part of subcall function 0086BC70: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,008542E3), ref: 0086BC97
                    • Part of subcall function 0086880A: CloseHandle.KERNEL32(0085435C,?,?,0085435C,00465E84), ref: 00868820
                    • Part of subcall function 0086880A: CloseHandle.KERNEL32(00465E84,?,?,0085435C,00465E84), ref: 00868829
                    • Part of subcall function 0086C77D: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00854396,00465E84), ref: 0086C796
                  • Sleep.KERNEL32(000000FA,00465E84), ref: 0085439F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                  • String ID: 0NG
                  • API String ID: 368326130-1567132218
                  • Opcode ID: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                  • Instruction ID: 31808893ffe545dc2801168875fcfd159722037953138fac58f98159bce45556
                  • Opcode Fuzzy Hash: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                  • Instruction Fuzzy Hash: A4314431A502185BCB14F7B8DC96DEE7775FF91306F400165B906E7192EF201E4ECA92
                  Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                  Download Yara Rule
                  APIs
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                    • Part of subcall function 00418691: 73C12440.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                  • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                    • Part of subcall function 00418706: 73C2EFB0.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                    • Part of subcall function 004186B4: 73C35080.GDIPLUS(?,00418BBD), ref: 004186BD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateStream$C12440C35080
                  • String ID: image/jpeg
                  • API String ID: 885787751-3785015651
                  • Opcode ID: f4d343ee3105d0ca7f694a1c3c1cd31302a14f8eac364085ad57c9062bbf9fd1
                  • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                  • Opcode Fuzzy Hash: f4d343ee3105d0ca7f694a1c3c1cd31302a14f8eac364085ad57c9062bbf9fd1
                  • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                  Function 00868D34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                  Download Yara Rule
                  APIs
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00868D60
                  • SHCreateMemStream.SHLWAPI(00000000), ref: 00868DAD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateStream
                  • String ID: image/jpeg
                  • API String ID: 1369699375-3785015651
                  • Opcode ID: f4d343ee3105d0ca7f694a1c3c1cd31302a14f8eac364085ad57c9062bbf9fd1
                  • Instruction ID: b4bd212d820b8cf7025bf1a3422bef1fc45d722cf08352ede2eae64138ed7520
                  • Opcode Fuzzy Hash: f4d343ee3105d0ca7f694a1c3c1cd31302a14f8eac364085ad57c9062bbf9fd1
                  • Instruction Fuzzy Hash: 28315C71504310AFC701AB68C884D7FBBE9FF8A701F004A2EF985D7211DB7599098BA2
                  Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                  • __Init_thread_footer.LIBCMT ref: 0040B7D2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Init_thread_footer__onexit
                  • String ID: [End of clipboard]$[Text copied to clipboard]
                  • API String ID: 1881088180-3686566968
                  • Opcode ID: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                  • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                  • Opcode Fuzzy Hash: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                  • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                  Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ACP$OCP
                  • API String ID: 0-711371036
                  • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                  • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                  • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                  • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                  Function 008A1E1E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,008A2079,?,00000050,?,?,?,?,?), ref: 008A1EF9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ACP$OCP
                  • API String ID: 0-711371036
                  • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                  • Instruction ID: 32fd2bb2a6814cb97862f7e224bd9d91d5c6aba15d0b10494a630740ba0be09b
                  • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                  • Instruction Fuzzy Hash: 5521D362B10105AAFF349B54C909BA7739BFF56B21F564420ED09D7A00FB32DD50C350
                  Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B85B
                  • GetLastError.KERNEL32 ref: 0044B884
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastWrite
                  • String ID: PkGNG
                  • API String ID: 442123175-263838557
                  • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                  • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                  • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                  • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                  Function 0089BA18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0089BE55,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0089BAC2
                  • GetLastError.KERNEL32 ref: 0089BAEB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastWrite
                  • String ID: PkGNG
                  • API String ID: 442123175-263838557
                  • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                  • Instruction ID: 1eb518efd0cab3f46ca6b33e19791b7d6f0f5b609904ff31dfca32951e544ade
                  • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                  • Instruction Fuzzy Hash: AA314F71A01219DBCF24DF59DD809DAF3F5FF48311B1485AAE509D7260E730AD81CB54
                  Function 00866586 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 00866597
                    • Part of subcall function 00863B19: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 00863B27
                    • Part of subcall function 00863B19: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0085C3F4,00466C58,00000001,000000AF,004660B4), ref: 00863B42
                    • Part of subcall function 00863B19: RegCloseKey.ADVAPI32(004660B4,?,?,?,0085C3F4,00466C58,00000001,000000AF,004660B4), ref: 00863B4D
                    • Part of subcall function 0085A086: _wcslen.LIBCMT ref: 0085A09F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: _wcslen$CloseCreateValue
                  • String ID: !D@$PG
                  • API String ID: 3411444782-1987221222
                  • Opcode ID: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                  • Instruction ID: c76c9a1acd2e31409e1e7861e97415b11e073500515a1139d308cacd9362aa5e
                  • Opcode Fuzzy Hash: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                  • Instruction Fuzzy Hash: AA11E76178450157C6087738A823B7D6286FFE2312F80843EFD46CF2D2EEA54C48A65B
                  Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B76D
                  • GetLastError.KERNEL32 ref: 0044B796
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastWrite
                  • String ID: PkGNG
                  • API String ID: 442123175-263838557
                  • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                  • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                  • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                  • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                  Function 0089B939 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0089BE75,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0089B9D4
                  • GetLastError.KERNEL32 ref: 0089B9FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastWrite
                  • String ID: PkGNG
                  • API String ID: 442123175-263838557
                  • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                  • Instruction ID: 754a377aabdaadaccb8df57c3eb78cd6e43e77acb29a5e276ad6ecb33f0b50aa
                  • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                  • Instruction Fuzzy Hash: A021D335610218DFCF14DF59DD80AE9B7F9FB48302F1448AAE94AD7251EB30AD81CB20
                  Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                    • Part of subcall function 00418691: 73C12440.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                    • Part of subcall function 00418706: 73C2EFB0.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                    • Part of subcall function 004186B4: 73C35080.GDIPLUS(?,00418BBD), ref: 004186BD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateStream$C12440C35080
                  • String ID: image/png
                  • API String ID: 885787751-2966254431
                  • Opcode ID: c5080055e3ee20b0f86b16816e754ddae04249a5e40f1d4050c67216b79272cb
                  • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                  • Opcode Fuzzy Hash: c5080055e3ee20b0f86b16816e754ddae04249a5e40f1d4050c67216b79272cb
                  • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                  Function 0085486E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00854873
                    • Part of subcall function 00854D08: send.WS2_32(?,00000000,00000000,00000000), ref: 00854D9D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prologsend
                  • String ID: o~E$NG
                  • API String ID: 2679777229-4065726910
                  • Opcode ID: 17fac1a1b046f946083fd2703b2f90ccc9ed52190986acb3cb5baead9464e690
                  • Instruction ID: 0f9d9ec013bf33715611d8fdf56a3d1741ad6155427d30bbe8250c2eba372d8d
                  • Opcode Fuzzy Hash: 17fac1a1b046f946083fd2703b2f90ccc9ed52190986acb3cb5baead9464e690
                  • Instruction Fuzzy Hash: 1C216032D401089BCB15EBA8E952AFEB775FF50351F20412AB516E3191EF341E5DCB81
                  Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                  Strings
                  • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime
                  • String ID: KeepAlive | Enabled | Timeout:
                  • API String ID: 481472006-1507639952
                  • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                  • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                  • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                  • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                  Function 0085525B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 00855297
                    • Part of subcall function 0086B7E7: GetLocalTime.KERNEL32(00000000), ref: 0086B801
                  • GetLocalTime.KERNEL32(?), ref: 008552EE
                  Strings
                  • KeepAlive | Enabled | Timeout: , xrefs: 00855286
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime
                  • String ID: KeepAlive | Enabled | Timeout:
                  • API String ID: 481472006-1507639952
                  • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                  • Instruction ID: b402d7e334c1ad5503387eb091709a044b90b6b83b4223c3c262c356550d2752
                  • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                  • Instruction Fuzzy Hash: DE213861D047409BC700F738DC5AB6ABB54FB52305F840528FC4DCB226DBB99A8C8797
                  Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32 ref: 0041667B
                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: DownloadFileSleep
                  • String ID: !D@
                  • API String ID: 1931167962-604454484
                  • Opcode ID: c9b80b904821436f6ebf50aad325410e3fdb3c9e59a4b5cd3336f35bda12ca07
                  • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                  • Opcode Fuzzy Hash: c9b80b904821436f6ebf50aad325410e3fdb3c9e59a4b5cd3336f35bda12ca07
                  • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                  Function 008668E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60sleepfilenetworkCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32(00000064), ref: 008668E2
                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 00866944
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: DownloadFileSleep
                  • String ID: !D@
                  • API String ID: 1931167962-604454484
                  • Opcode ID: bef958293fe2008a3a79a038302e0b3da231204476f86616c0fe51d81de4655c
                  • Instruction ID: 50f2737d7462151ebce26532f75c60ba0fd009ce7c09f786120f6f5b884bd395
                  • Opcode Fuzzy Hash: bef958293fe2008a3a79a038302e0b3da231204476f86616c0fe51d81de4655c
                  • Instruction Fuzzy Hash: 3E113D715493419AC614FB78D99696EB398FF62302F400C2DBD46D7192EE20991DC653
                  Function 0086B7E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(00000000), ref: 0086B801
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime
                  • String ID: %02i:%02i:%02i:%03i $PkGNG
                  • API String ID: 481472006-224355505
                  • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                  • Instruction ID: c13165e3042431521122a6e7eb16a5660159891405b2d5c19400da585ee030ff
                  • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                  • Instruction Fuzzy Hash: 2F1160714482449BC704FB68E8529BFB3E8FBA4342F50092AF899C2095FF28DA5CC657
                  Function 00857852 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                  • CoInitializeEx.COMBASE(00000000,00000002), ref: 00857872
                    • Part of subcall function 0085779F: _wcslen.LIBCMT ref: 008577C3
                    • Part of subcall function 0085779F: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 00857824
                  • CoUninitialize.COMBASE ref: 008578CB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: InitializeObjectUninitialize_wcslen
                  • String ID: C:\Users\user\Desktop\documents-pdf.exe
                  • API String ID: 3851391207-2950983808
                  • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                  • Instruction ID: 02aef16da8c0a05d2e47c982281642dcd9e734596932d15d68fa669b431972bf
                  • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                  • Instruction Fuzzy Hash: 0D0180723093156BE2245B15EC0EF6B6B4DEB81726F11412EFD01C6181EB95AC4986BA
                  Function 00865D8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Event
                  • String ID: !D@$NG
                  • API String ID: 4201588131-2721294649
                  • Opcode ID: 8fc69762f1054fab49cdf09addf11f5569ef1803885e917715690b2ef544eb48
                  • Instruction ID: 26a7a70ef463ee1ddd3bb7985d70f9736bee8891495ffc2cb62eb5590f518016
                  • Opcode Fuzzy Hash: 8fc69762f1054fab49cdf09addf11f5569ef1803885e917715690b2ef544eb48
                  • Instruction Fuzzy Hash: 7511A7365082559BC620FB78DC42AEEB3A4FB56321F40496DFA99C3192EF30591DC793
                  Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: alarm.wav$hYG
                  • API String ID: 1174141254-2782910960
                  • Opcode ID: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                  • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                  • Opcode Fuzzy Hash: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                  • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                  Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                  • CloseHandle.KERNEL32(?), ref: 0040B0EF
                  • UnhookWindowsHookEx.USER32 ref: 0040B102
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                  • String ID: Online Keylogger Stopped
                  • API String ID: 1623830855-1496645233
                  • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                  • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                  • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                  • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                  Function 0085B2F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0085B406: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0085B414
                    • Part of subcall function 0085B406: wsprintfW.USER32 ref: 0085B495
                    • Part of subcall function 0086B7E7: GetLocalTime.KERNEL32(00000000), ref: 0086B801
                  • CloseHandle.KERNEL32(?), ref: 0085B356
                  • UnhookWindowsHookEx.USER32 ref: 0085B369
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                  • String ID: Online Keylogger Stopped
                  • API String ID: 1623830855-1496645233
                  • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                  • Instruction ID: 750ac3398448a110c4667d2f7f45a091371a64ea768823aa5b8f1f92441de585
                  • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                  • Instruction Fuzzy Hash: 2601B135A042109BC7217B28CC0B7BEBBB1FF62316F80009DEC8296296EF65195D97D7
                  Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0043CEA5), ref: 00448CA4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: String
                  • String ID: LCMapStringEx$PkGNG
                  • API String ID: 2568140703-1065776982
                  • Opcode ID: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                  • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                  • Opcode Fuzzy Hash: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                  • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                  Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  • waveInPrepareHeader.WINMM(0098AF00,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                  • waveInAddBuffer.WINMM(0098AF00,00000020,?,00000000,00401A15), ref: 0040185F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: wave$BufferHeaderPrepare
                  • String ID: XMG
                  • API String ID: 2315374483-813777761
                  • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                  • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                  • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                  • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                  Function 00851A53 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  • waveInPrepareHeader.WINMM(00474D94,00000020,00476BD4,00476BD4,00476B50,00474EE0,?,00000000,00851C7C), ref: 00851AB0
                  • waveInAddBuffer.WINMM(00474D94,00000020,?,00000000,00851C7C), ref: 00851AC6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: wave$BufferHeaderPrepare
                  • String ID: XMG
                  • API String ID: 2315374483-813777761
                  • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                  • Instruction ID: 05bfab363481d9042a77d7e9b303d2189923876e30c3fb6cebb0cc42fda09ad1
                  • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                  • Instruction Fuzzy Hash: 0601D1B1301301AFD7109F68EC44925BBE9FB8A3117004139F909C3762EB719C94CBA8
                  Function 0086CDD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42windowCOMMON
                  Download Yara Rule
                  APIs
                  • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00854CA7), ref: 0086CE01
                  • LocalFree.KERNEL32(?,?), ref: 0086CE27
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FormatFreeLocalMessage
                  • String ID: PkGNG
                  • API String ID: 1427518018-263838557
                  • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                  • Instruction ID: 4c7d2a7a773f1392c4364f2eede1012a515704f0b27bea7aa621ed06fdc4a033
                  • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                  • Instruction Fuzzy Hash: 36F0C875A00109BB9B08B7A9EC4ADFFB73DEB94302B10007AB905E2191EE645D1996A5
                  Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocaleValid
                  • String ID: IsValidLocaleName$kKD
                  • API String ID: 1901932003-3269126172
                  • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                  • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                  • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                  • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                  Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                  • API String ID: 1174141254-4188645398
                  • Opcode ID: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                  • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                  • Opcode Fuzzy Hash: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                  • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                  Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                  • API String ID: 1174141254-2800177040
                  • Opcode ID: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                  • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                  • Opcode Fuzzy Hash: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                  • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                  Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                  • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: AppData$\Opera Software\Opera Stable\
                  • API String ID: 1174141254-1629609700
                  • Opcode ID: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                  • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                  • Opcode Fuzzy Hash: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                  • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                  Function 008520F9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog
                  • String ID: G~E$XMG
                  • API String ID: 3519838083-1567329563
                  • Opcode ID: a17f4d08dd56310e4990103567e1668ac71656cdff97641002e4e9c1f0465104
                  • Instruction ID: 589bfb81bf7d8a7f445449d22f5a206f61f2b1e14264030541c72820f336a986
                  • Opcode Fuzzy Hash: a17f4d08dd56310e4990103567e1668ac71656cdff97641002e4e9c1f0465104
                  • Instruction Fuzzy Hash: EFF0E971A106145BC718EB1C98026ADB365FF92762F1042AEFC15D73A1CF381D0486A6
                  Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyState.USER32(00000011), ref: 0040B686
                    • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                    • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                    • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                    • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                    • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                    • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                  • String ID: [AltL]$[AltR]
                  • API String ID: 2738857842-2658077756
                  • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                  • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                  • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                  • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                  Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$FileSystem
                  • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                  • API String ID: 2086374402-949981407
                  • Opcode ID: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                  • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                  • Opcode Fuzzy Hash: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                  • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                  Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell
                  • String ID: !D@$open
                  • API String ID: 587946157-1586967515
                  • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                  • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                  • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                  • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                  Function 004555CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___initconout.LIBCMT ref: 004555DB
                    • Part of subcall function 00456B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004555E0,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000), ref: 00456BB0
                  • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB99,?), ref: 004555FE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ConsoleCreateFileWrite___initconout
                  • String ID: PkGNG
                  • API String ID: 3087715906-263838557
                  • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                  • Instruction ID: 53f4b2898eb153bde3bf118a85e4039abf363423ff24ad7888d91dc13aa78fd6
                  • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                  • Instruction Fuzzy Hash: C5E0EDB0100548BBDA208B69DC29EBA3328EB00331F500369FE29C62D2EB34EC44C769
                  Function 008A5832 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • ___initconout.LIBCMT ref: 008A5842
                    • Part of subcall function 008A6E04: CreateFileW.KERNEL32(004654B8,40000000,00000003,00000000,00000003,00000000,00000000,008A5847,00000000,PkGNG,0089B884,?,FF8BC35D,00000000,?,00000000), ref: 008A6E17
                  • WriteConsoleW.KERNEL32(004719B0,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0089B884,?,FF8BC35D,00000000,?,00000000,PkGNG,0089BE00,?), ref: 008A5865
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ConsoleCreateFileWrite___initconout
                  • String ID: PkGNG
                  • API String ID: 3087715906-263838557
                  • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                  • Instruction ID: 105c8e0de02139c1ba80c449705e6020fcadc3b29535b6fe57665ae8e8a52f57
                  • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                  • Instruction Fuzzy Hash: A6E09B74500505A7EA10CB68DC45EBA3368FB02770F600334F929C65D0DB74DD80C755
                  Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyState.USER32(00000012), ref: 0040B6E0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: State
                  • String ID: [CtrlL]$[CtrlR]
                  • API String ID: 1649606143-2446555240
                  • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                  • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                  • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                  • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                  Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                  • __Init_thread_footer.LIBCMT ref: 00410F64
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Init_thread_footer__onexit
                  • String ID: ,kG$0kG
                  • API String ID: 1881088180-2015055088
                  • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                  • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                  • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                  • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                  Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                  • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteOpenValue
                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                  • API String ID: 2654517830-1051519024
                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                  • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                  • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                  Function 0085EA41 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00884A68: __onexit.LIBCMT ref: 00884A6E
                  • __Init_thread_footer.LIBCMT ref: 008611CB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Init_thread_footer__onexit
                  • String ID: ,kG$0kG
                  • API String ID: 1881088180-2015055088
                  • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                  • Instruction ID: 022982eb5a8e0aa33eecd2eccaa74701ce135a8e47af7240eddd3ed8152a7a66
                  • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                  • Instruction Fuzzy Hash: E3E0D832504D218ED514F32C994598533DAFB0B321727912AF514D71D3DF1578418F5E
                  Function 00863CC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0085D770,00000000,?,00000000), ref: 00863CD3
                  • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00863CE7
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00863CD1
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteOpenValue
                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                  • API String ID: 2654517830-1051519024
                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                  • Instruction ID: 8e385e8e023c82540e0b6c4dc828c7dc45cb0759a236c3ce11c8b664100238d7
                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                  • Instruction Fuzzy Hash: 2FE0EC71644208FBDF104B61ED06FAA776CEB01B51F1046A8BA06A2491D6229E14A664
                  Function 0085BB0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileW.KERNEL32(00000000,?,?,0085AF55,0000005C,?,?,?,00000000), ref: 0085BB18
                  • RemoveDirectoryW.KERNEL32(00000000,?,?,0085AF55,0000005C,?,?,?,00000000), ref: 0085BB43
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteDirectoryFileRemove
                  • String ID: xdF
                  • API String ID: 3325800564-999140092
                  • Opcode ID: b185d45e9284f9c2b9076f6fb490faf368724e2544f1c5d03cb15fc48c16879d
                  • Instruction ID: 9df2acdaa40de7a0fd2b1a7cc2ed3e2eac8090779e13b90242b3d7cef9144e38
                  • Opcode Fuzzy Hash: b185d45e9284f9c2b9076f6fb490faf368724e2544f1c5d03cb15fc48c16879d
                  • Instruction Fuzzy Hash: FCE08C71040B109BCA11AB389C99ADB3398FF05213F00496AF8A3E3921DF28BE4CDA55
                  Function 0085D30B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0085EEAA,0000000D,00000033,00000000,00000032,00000000,004673AC,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0085D31A
                  • GetLastError.KERNEL32 ref: 0085D325
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateErrorLastMutex
                  • String ID: Rmc-AYRCHN
                  • API String ID: 1925916568-1213370029
                  • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                  • Instruction ID: f445ea6e3fca134ad015473fcd47fc5348fca90d9d97d576ef14cb721f228daf
                  • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                  • Instruction Fuzzy Hash: 59D01274645700EBDB186774AD49B583955D744703F408479B90FC99E1CFA48C809915
                  Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                  • GetLastError.KERNEL32 ref: 00440D85
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$ErrorLast
                  • String ID:
                  • API String ID: 1717984340-0
                  • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                  • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                  • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                  • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                  Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                  Download Yara Rule
                  APIs
                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                  • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                  Memory Dump Source
                  • Source File: 00000000.00000002.2127973802.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2127973802.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2127973802.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastRead
                  • String ID:
                  • API String ID: 4100373531-0
                  • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                  • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                  • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                  • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99
                  Function 00861E01 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                  Download Yara Rule
                  APIs
                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00861E2E
                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00861EFA
                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00861F1C
                  • SetLastError.KERNEL32(0000007E,00862192), ref: 00861F33
                  Memory Dump Source
                  • Source File: 00000000.00000002.2128264560.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_850000_documents-pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastRead
                  • String ID:
                  • API String ID: 4100373531-0
                  • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                  • Instruction ID: 133ee810568ab95dc92e58b9899e3773be84f3c8893cd30323ac6cc718659d08
                  • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                  • Instruction Fuzzy Hash: 79419C716083059FEB24CF58EC88B66B7E4FF48715F09482DE946C7692EB31E904CB51