Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
advancePayment-pdf.exe

Overview

General Information

Sample name:advancePayment-pdf.exe
Analysis ID:1553456
MD5:821cd5ef8d94deeeee5b7cb82379c212
SHA1:977f8407a7033b20b96fec686e918c177160ae92
SHA256:8038ff6a41673eb151cdb7f03872c741dc762834c856d70030cd54af744e36a4
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • advancePayment-pdf.exe (PID: 6076 cmdline: "C:\Users\user\Desktop\advancePayment-pdf.exe" MD5: 821CD5EF8D94DEEEEE5B7CB82379C212)
    • WerFault.exe (PID: 5464 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 932 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5268 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1000 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1008 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1008 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5532 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1152 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6540 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1160 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • yavascript.exe (PID: 3364 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: 821CD5EF8D94DEEEEE5B7CB82379C212)
      • WerFault.exe (PID: 4196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 632 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 5748 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 648 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 6696 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 728 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 5332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 756 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 6412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 772 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 2220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 924 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 1848 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 956 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 5276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 956 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1208 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • yavascript.exe (PID: 6540 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: 821CD5EF8D94DEEEEE5B7CB82379C212)
    • WerFault.exe (PID: 3652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 532 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I7G983", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.4487367180.0000000002DAD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.2301983250.0000000002D27000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000017.00000002.2310830202.0000000002D80000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000F.00000002.4487332723.0000000002D69000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x12d0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        00000000.00000002.2301934227.0000000002CD9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x15a0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        Click to see the 65 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        15.3.yavascript.exe.48e0000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          15.3.yavascript.exe.48e0000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            15.3.yavascript.exe.48e0000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              15.3.yavascript.exe.48e0000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6aaf8:$a1: Remcos restarted by watchdog!
              • 0x6b070:$a3: %02i:%02i:%02i:%03i
              15.3.yavascript.exe.48e0000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x64e04:$str_b2: Executing file:
              • 0x65c3c:$str_b3: GetDirectListeningPort
              • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x65780:$str_b7: \update.vbs
              • 0x64e2c:$str_b9: Downloaded file:
              • 0x64e18:$str_b10: Downloading file:
              • 0x64ebc:$str_b12: Failed to upload file:
              • 0x65c04:$str_b13: StartForward
              • 0x65c24:$str_b14: StopForward
              • 0x656d8:$str_b15: fso.DeleteFile "
              • 0x6566c:$str_b16: On Error Resume Next
              • 0x65708:$str_b17: fso.DeleteFolder "
              • 0x64eac:$str_b18: Uploaded file:
              • 0x64e6c:$str_b19: Unable to delete:
              • 0x656a0:$str_b20: while fso.FileExists("
              • 0x65349:$str_c0: [Firefox StoredLogins not found]
              Click to see the 103 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\advancePayment-pdf.exe, ProcessId: 6076, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-I7G983

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: 1E 04 D2 DB 3F 0C FE F3 82 62 77 23 55 F6 79 B1 49 36 B8 E5 8D 32 CC 27 A6 CB 6E 6A 89 1A 19 B0 B4 53 8A 49 77 14 FC 00 27 A6 E3 34 C0 ED 34 E0 0A 9D 0A D1 26 0E C1 90 99 15 44 75 A2 34 05 C5 6E C4 62 5A AD 89 35 B2 F0 68 B4 0C E0 47 A0 30 FD 73 49 70 34 DF 76 DA 6B E1 47 5F 61 46 AA 13 DB 71 55 89 7B 9B 50 50 84 E0 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, ProcessId: 3364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-I7G983\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-11T09:00:09.286393+010020365941Malware Command and Control Activity Detected192.168.2.549706198.23.227.21232583TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-11T09:00:21.649534+010028033043Unknown Traffic192.168.2.549736178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000000.00000002.2301983250.0000000002D27000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I7G983", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeReversingLabs: Detection: 52%
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeVirustotal: Detection: 62%Perma Link
              Multi AV Scanner detection for submitted file
              Source: advancePayment-pdf.exeReversingLabs: Detection: 52%
              Source: advancePayment-pdf.exeVirustotal: Detection: 62%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.4487367180.0000000002DAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2301983250.0000000002D27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2310830202.0000000002D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4487367180.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: advancePayment-pdf.exe PID: 6076, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6540, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Machine Learning detection for sample
              Source: advancePayment-pdf.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043293A
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047E2BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_047E2BA1
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_0043293A
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04722BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_04722BA1
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,23_2_0043293A
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_04802BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,23_2_04802BA1
              Source: advancePayment-pdf.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: advancePayment-pdf.exe PID: 6076, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6540, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00406764 _wcslen,CoGetObject,15_2_00406764
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00406764 _wcslen,CoGetObject,23_2_00406764
              Source: advancePayment-pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047BB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_047BB59C
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047CB696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_047CB696
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047B900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_047B900E
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047B7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_047B7CF3
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047B6D29 FindFirstFileW,FindNextFileW,0_2_047B6D29
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047C8ED0 FindFirstFileW,0_2_047C8ED0
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047FD850 FindFirstFileExA,0_2_047FD850
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040B335
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,15_2_0041B42F
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040B53A
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0044D5E9 FindFirstFileExA,15_2_0044D5E9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,15_2_004089A9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,15_2_00406AC2
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,15_2_00407A8C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00418C69
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,15_2_00408DA7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046FB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_046FB59C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0470B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,15_2_0470B696
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046F900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_046F900E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046F7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,15_2_046F7CF3
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046F6D29 FindFirstFileW,FindNextFileW,15_2_046F6D29
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04708ED0 FindFirstFileW,15_2_04708ED0
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0473D850 FindFirstFileExA,15_2_0473D850
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,23_2_0040B335
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,23_2_0041B42F
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,23_2_0040B53A
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0044D5E9 FindFirstFileExA,23_2_0044D5E9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,23_2_004089A9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00406AC2 FindFirstFileW,FindNextFileW,23_2_00406AC2
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,23_2_00407A8C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,23_2_00418C69
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,23_2_00408DA7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047DB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,23_2_047DB59C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047EB696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,23_2_047EB696
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047D900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,23_2_047D900E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047D7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,23_2_047D7CF3
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047D6D29 FindFirstFileW,FindNextFileW,23_2_047D6D29
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047E8ED0 FindFirstFileW,23_2_047E8ED0
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0481D850 FindFirstFileExA,23_2_0481D850
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49706 -> 198.23.227.212:32583
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 198.23.227.212
              Source: global trafficTCP traffic: 192.168.2.5:49706 -> 198.23.227.212:32583
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 198.23.227.212 198.23.227.212
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49736 -> 178.237.33.50:80
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004260F7 recv,0_2_004260F7
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: yavascript.exe, 0000000F.00000003.2280910047.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: yavascript.exe, 0000000F.00000002.4487367180.0000000002DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/B
              Source: yavascript.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: advancePayment-pdf.exe, 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, advancePayment-pdf.exe, 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, advancePayment-pdf.exe, 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: yavascript.exe, 0000000F.00000003.2280910047.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp1
              Source: yavascript.exe, 0000000F.00000003.2280910047.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp8
              Source: yavascript.exe, 0000000F.00000003.2280910047.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpO
              Source: yavascript.exe, 0000000F.00000002.4487367180.0000000002DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
              Source: yavascript.exe, 0000000F.00000003.2280910047.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
              Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004159C6
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,23_2_004159C6
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: advancePayment-pdf.exe PID: 6076, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6540, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.4487367180.0000000002DAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2301983250.0000000002D27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2310830202.0000000002D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4487367180.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: advancePayment-pdf.exe PID: 6076, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6540, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041BB77 SystemParametersInfoW,0_2_0041BB77
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047CBDDE SystemParametersInfoW,0_2_047CBDDE
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0041BB77 SystemParametersInfoW,15_2_0041BB77
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0470BDDE SystemParametersInfoW,15_2_0470BDDE
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0041BB77 SystemParametersInfoW,23_2_0041BB77
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047EBDDE SystemParametersInfoW,23_2_047EBDDE

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000F.00000002.4487332723.0000000002D69000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000000.00000002.2301934227.0000000002CD9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000017.00000002.2310796123.0000000002D3C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: Process Memory Space: advancePayment-pdf.exe PID: 6076, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: yavascript.exe PID: 3364, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: yavascript.exe PID: 6540, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: advancePayment-pdf.exe
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,0_2_0041CA9E
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACC1
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACED
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047CCD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,0_2_047CCD05
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047CAF54 OpenProcess,NtResumeProcess,CloseHandle,0_2_047CAF54
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047CAF28 OpenProcess,NtSuspendProcess,CloseHandle,0_2_047CAF28
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,15_2_0041CA9E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,15_2_0041ACC1
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,15_2_0041ACED
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0470CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,15_2_0470CD05
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0470AF54 OpenProcess,NtResumeProcess,CloseHandle,15_2_0470AF54
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0470AF28 OpenProcess,NtSuspendProcess,CloseHandle,15_2_0470AF28
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,23_2_0041CA9E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,23_2_0041ACC1
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,23_2_0041ACED
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047ECD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,23_2_047ECD05
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047EAF54 OpenProcess,NtResumeProcess,CloseHandle,23_2_047EAF54
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047EAF28 OpenProcess,NtSuspendProcess,CloseHandle,23_2_047EAF28
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047C5B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_047C5B1C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_004158B9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04705B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_04705B1C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,23_2_004158B9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047E5B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,23_2_047E5B1C
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041D0710_2_0041D071
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004520D20_2_004520D2
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0043D0980_2_0043D098
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004371500_2_00437150
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004361AA0_2_004361AA
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004262540_2_00426254
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004313770_2_00431377
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0043651C0_2_0043651C
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041E5DF0_2_0041E5DF
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0044C7390_2_0044C739
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004367C60_2_004367C6
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004267CB0_2_004267CB
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0043C9DD0_2_0043C9DD
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00432A490_2_00432A49
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00436A8D0_2_00436A8D
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0043CC0C0_2_0043CC0C
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00436D480_2_00436D48
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00434D220_2_00434D22
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00426E730_2_00426E73
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00440E200_2_00440E20
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0043CE3B0_2_0043CE3B
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00412F450_2_00412F45
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00452F000_2_00452F00
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00426FAD0_2_00426FAD
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047E64110_2_047E6411
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047D64BB0_2_047D64BB
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047D70DA0_2_047D70DA
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047ED0A20_2_047ED0A2
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047F10870_2_047F1087
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047D72140_2_047D7214
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047ED2FF0_2_047ED2FF
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047CD2D80_2_047CD2D8
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_048023390_2_04802339
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047E73B70_2_047E73B7
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047ECC440_2_047ECC44
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047E2CB00_2_047E2CB0
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047ECE730_2_047ECE73
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047CE8460_2_047CE846
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047D6A320_2_047D6A32
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0041D07115_2_0041D071
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_004520D215_2_004520D2
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0043D09815_2_0043D098
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0043715015_2_00437150
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_004361AA15_2_004361AA
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0042625415_2_00426254
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0043137715_2_00431377
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0043651C15_2_0043651C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0041E5DF15_2_0041E5DF
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0044C73915_2_0044C739
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_004367C615_2_004367C6
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_004267CB15_2_004267CB
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0043C9DD15_2_0043C9DD
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00432A4915_2_00432A49
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00436A8D15_2_00436A8D
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0043CC0C15_2_0043CC0C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00436D4815_2_00436D48
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00434D2215_2_00434D22
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00426E7315_2_00426E73
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00440E2015_2_00440E20
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0043CE3B15_2_0043CE3B
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00412F4515_2_00412F45
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00452F0015_2_00452F00
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00426FAD15_2_00426FAD
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0472641115_2_04726411
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_047164BB15_2_047164BB
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_047170DA15_2_047170DA
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0472D0A215_2_0472D0A2
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0473108715_2_04731087
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0471721415_2_04717214
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0472D2FF15_2_0472D2FF
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0470D2D815_2_0470D2D8
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0474233915_2_04742339
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_047273B715_2_047273B7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0472CC4415_2_0472CC44
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04722CB015_2_04722CB0
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0472CE7315_2_0472CE73
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0470E84615_2_0470E846
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04716A3215_2_04716A32
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0041D07123_2_0041D071
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_004520D223_2_004520D2
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0043D09823_2_0043D098
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0043715023_2_00437150
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_004361AA23_2_004361AA
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0042625423_2_00426254
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0043137723_2_00431377
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0043651C23_2_0043651C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0041E5DF23_2_0041E5DF
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0044C73923_2_0044C739
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_004367C623_2_004367C6
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_004267CB23_2_004267CB
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0043C9DD23_2_0043C9DD
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00432A4923_2_00432A49
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00436A8D23_2_00436A8D
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0043CC0C23_2_0043CC0C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00436D4823_2_00436D48
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00434D2223_2_00434D22
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00426E7323_2_00426E73
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00440E2023_2_00440E20
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0043CE3B23_2_0043CE3B
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00412F4523_2_00412F45
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00452F0023_2_00452F00
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00426FAD23_2_00426FAD
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0480641123_2_04806411
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047F64BB23_2_047F64BB
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0481108723_2_04811087
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0480D0A223_2_0480D0A2
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047F70DA23_2_047F70DA
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047F721423_2_047F7214
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0480D2FF23_2_0480D2FF
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047ED2D823_2_047ED2D8
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_048073B723_2_048073B7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0482233923_2_04822339
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_04802CB023_2_04802CB0
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0480CC4423_2_0480CC44
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0480CE7323_2_0480CE73
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047EE84623_2_047EE846
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047F6A3223_2_047F6A32
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 04724217 appears 46 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 04804217 appears 46 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 04723B0C appears 41 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 04803B0C appears 41 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00401D64 appears 43 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00447174 appears 36 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00401F66 appears 100 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00401FAA appears 42 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 046F234E appears 37 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00403B40 appears 44 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00433FB0 appears 110 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00444B14 appears 56 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00404C9E appears 32 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 004020E7 appears 79 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00401E8F appears 37 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 047D234E appears 37 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 004040BB appears 36 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00410D8D appears 36 times
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 004338A5 appears 82 times
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: String function: 047E3B0C appears 41 times
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: String function: 004020E7 appears 39 times
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: String function: 047E4217 appears 46 times
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: String function: 00401F66 appears 50 times
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: String function: 004338A5 appears 41 times
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: String function: 047B234E appears 37 times
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: String function: 00433FB0 appears 55 times
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 932
              Source: advancePayment-pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000F.00000002.4487332723.0000000002D69000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000000.00000002.2301934227.0000000002CD9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000017.00000002.2310796123.0000000002D3C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: Process Memory Space: advancePayment-pdf.exe PID: 6076, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: yavascript.exe PID: 3364, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: yavascript.exe PID: 6540, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: advancePayment-pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: yavascript.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@20/68@1/2
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047C6D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_047C6D1E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_00416AB7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04706D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_04706D1E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,23_2_00416AB7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047E6D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,23_2_047E6D1E
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A63F
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeFile created: C:\Users\user\AppData\Roaming\xenorJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-I7G983
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6540
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6076
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3364
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\1f445058-bb28-409f-be39-5ad9af2bc72bJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: Software\0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: Rmc-I7G9830_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: Exe0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: Exe0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: Rmc-I7G9830_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: 0DG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: Inj0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: Inj0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: BG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: BG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: BG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: @CG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: BG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: exepath0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: @CG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: exepath0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: BG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: licence0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: `=G0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: XCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: dCG0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: Administrator0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: User0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: del0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: del0_2_0040D767
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCommand line argument: del0_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Software\15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Rmc-I7G98315_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Exe15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Exe15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Rmc-I7G98315_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: 0DG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Inj15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Inj15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: @CG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: exepath15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: @CG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: exepath15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: licence15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: `=G15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: dCG15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Administrator15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: User15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del15_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Software\23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: (CG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Exe23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: (CG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: 0DG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Inj23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Inj23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: @CG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: exepath23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: @CG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: exepath23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: licence23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: `=G23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: dCG23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Administrator23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: User23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del23_2_0040D767
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del23_2_0040D767
              Source: advancePayment-pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: advancePayment-pdf.exeReversingLabs: Detection: 52%
              Source: advancePayment-pdf.exeVirustotal: Detection: 62%
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeFile read: C:\Users\user\Desktop\advancePayment-pdf.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\advancePayment-pdf.exe "C:\Users\user\Desktop\advancePayment-pdf.exe"
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 932
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1000
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1008
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1008
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1152
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1160
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1208
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 632
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 648
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 728
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 756
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 772
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 924
              Source: C:\Windows\SysWOW64\WerFault.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 532
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 956
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 956
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" Jump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: msvcr100.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: msvcr100.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: msimg32.dll
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: msvcr100.dll
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
              Source: advancePayment-pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: advancePayment-pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: advancePayment-pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: advancePayment-pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: advancePayment-pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeUnpacked PE file: 0.2.advancePayment-pdf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.vutod:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeUnpacked PE file: 15.2.yavascript.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.vutod:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeUnpacked PE file: 23.2.yavascript.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.vutod:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
              Source: advancePayment-pdf.exeStatic PE information: section name: .vutod
              Source: yavascript.exe.0.drStatic PE information: section name: .vutod
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004567E0 push eax; ret 0_2_004567FE
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0045B9DD push esi; ret 0_2_0045B9E6
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00463EF3 push ds; retf 0_2_00463EEC
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00455EAF push ecx; ret 0_2_00455EC2
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00433FF6 push ecx; ret 0_2_00434009
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_02CDCB1D push es; ret 0_2_02CDCB2A
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_02CDF992 pushfd ; ret 0_2_02CDF993
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047D409D push esi; ret 0_2_047D409F
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_04806116 push ecx; ret 0_2_04806129
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047E425D push ecx; ret 0_2_047E4270
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047B724F push edx; retf 0_2_047B7252
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047C5C73 push esp; ret 0_2_047C5C74
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047C5EC9 push edi; ret 0_2_047C5ECA
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_04806A47 push eax; ret 0_2_04806A65
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_004567E0 push eax; ret 15_2_004567FE
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0045B9DD push esi; ret 15_2_0045B9E6
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00463EF3 push ds; retf 15_2_00463EEC
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00455EAF push ecx; ret 15_2_00455EC2
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00433FF6 push ecx; ret 15_2_00434009
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_02D6F6C2 pushfd ; ret 15_2_02D6F6C3
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_02D6C84D push es; ret 15_2_02D6C85A
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0471409D push esi; ret 15_2_0471409F
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04746116 push ecx; ret 15_2_04746129
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046F724F push edx; retf 15_2_046F7252
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0472425D push ecx; ret 15_2_04724270
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04705C73 push esp; ret 15_2_04705C74
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04705EC9 push edi; ret 15_2_04705ECA
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04746A47 push eax; ret 15_2_04746A65
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_004567E0 push eax; ret 23_2_004567FE
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0045B9DD push esi; ret 23_2_0045B9E6
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00463EF3 push ds; retf 23_2_00463EEC
              Source: advancePayment-pdf.exeStatic PE information: section name: .text entropy: 7.59262053181599
              Source: yavascript.exe.0.drStatic PE information: section name: .text entropy: 7.59262053181599
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeFile created: C:\Users\user\AppData\Roaming\xenor\yavascript.exeJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious names
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983Jump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983Jump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983Jump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047BE7B6 Sleep,ExitProcess,0_2_047BE7B6
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0040E54F Sleep,ExitProcess,15_2_0040E54F
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046FE7B6 Sleep,ExitProcess,15_2_046FE7B6
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0040E54F Sleep,ExitProcess,23_2_0040E54F
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047DE7B6 Sleep,ExitProcess,23_2_047DE7B6
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198C2
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_047C9B29
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_004198C2
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_04709B29
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,23_2_004198C2
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,23_2_047E9B29
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeWindow / User API: threadDelayed 801Jump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeWindow / User API: threadDelayed 9191Jump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeEvaded block: after key decisiongraph_0-88724
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeEvaded block: after key decisiongraph_0-88696
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeAPI coverage: 3.6 %
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeAPI coverage: 6.2 %
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeAPI coverage: 3.4 %
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 1784Thread sleep count: 801 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 1784Thread sleep time: -2403000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 1784Thread sleep count: 9191 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 1784Thread sleep time: -27573000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047BB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_047BB59C
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047CB696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_047CB696
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047B900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_047B900E
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047B7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_047B7CF3
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047B6D29 FindFirstFileW,FindNextFileW,0_2_047B6D29
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047C8ED0 FindFirstFileW,0_2_047C8ED0
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047FD850 FindFirstFileExA,0_2_047FD850
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040B335
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,15_2_0041B42F
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040B53A
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0044D5E9 FindFirstFileExA,15_2_0044D5E9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,15_2_004089A9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,15_2_00406AC2
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,15_2_00407A8C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00418C69
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,15_2_00408DA7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046FB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_046FB59C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0470B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,15_2_0470B696
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046F900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_046F900E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046F7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,15_2_046F7CF3
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046F6D29 FindFirstFileW,FindNextFileW,15_2_046F6D29
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04708ED0 FindFirstFileW,15_2_04708ED0
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0473D850 FindFirstFileExA,15_2_0473D850
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,23_2_0040B335
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,23_2_0041B42F
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,23_2_0040B53A
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0044D5E9 FindFirstFileExA,23_2_0044D5E9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,23_2_004089A9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00406AC2 FindFirstFileW,FindNextFileW,23_2_00406AC2
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,23_2_00407A8C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,23_2_00418C69
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,23_2_00408DA7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047DB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,23_2_047DB59C
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047EB696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,23_2_047EB696
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047D900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,23_2_047D900E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047D7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,23_2_047D7CF3
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047D6D29 FindFirstFileW,FindNextFileW,23_2_047D6D29
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047E8ED0 FindFirstFileW,23_2_047E8ED0
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0481D850 FindFirstFileExA,23_2_0481D850
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
              Source: Amcache.hve.4.drBinary or memory string: VMware
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: yavascript.exe, 0000000F.00000002.4487472607.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000003.2280910047.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.4.drBinary or memory string: vmci.sys
              Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
              Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: yavascript.exe, 0000000F.00000002.4487472607.0000000002E15000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000003.2280910047.0000000002E15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW"5
              Source: Amcache.hve.4.drBinary or memory string: VMware20,1
              Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]0_2_00442554
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_02CD9EAB push dword ptr fs:[00000030h]0_2_02CD9EAB
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047F27BB mov eax, dword ptr fs:[00000030h]0_2_047F27BB
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047B0D90 mov eax, dword ptr fs:[00000030h]0_2_047B0D90
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047B092B mov eax, dword ptr fs:[00000030h]0_2_047B092B
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00442554 mov eax, dword ptr fs:[00000030h]15_2_00442554
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_02D69BDB push dword ptr fs:[00000030h]15_2_02D69BDB
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_047327BB mov eax, dword ptr fs:[00000030h]15_2_047327BB
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046F0D90 mov eax, dword ptr fs:[00000030h]15_2_046F0D90
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_046F092B mov eax, dword ptr fs:[00000030h]15_2_046F092B
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00442554 mov eax, dword ptr fs:[00000030h]23_2_00442554
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_02D3C98B push dword ptr fs:[00000030h]23_2_02D3C98B
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_048127BB mov eax, dword ptr fs:[00000030h]23_2_048127BB
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047D0D90 mov eax, dword ptr fs:[00000030h]23_2_047D0D90
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_047D092B mov eax, dword ptr fs:[00000030h]23_2_047D092B
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0044E92E GetProcessHeap,0_2_0044E92E
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434168
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B44
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00433CD7 SetUnhandledExceptionFilter,0_2_00433CD7
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047E43CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_047E43CF
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047E3DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_047E3DAB
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_047EA8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_047EA8C4
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00434168
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0043A65D
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00433B44
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_00433CD7 SetUnhandledExceptionFilter,15_2_00433CD7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_047243CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_047243CF
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_04723DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_04723DAB
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 15_2_0472A8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0472A8C4
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00434168
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0043A65D
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00433B44
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_00433CD7 SetUnhandledExceptionFilter,23_2_00433CD7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_048043CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_048043CF
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_04803DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_04803DAB
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 23_2_0480A8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0480A8C4
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe15_2_00410F36
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe23_2_00410F36
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00418754 mouse_event,0_2_00418754
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" Jump to behavior
              Source: yavascript.exe, 0000000F.00000002.4487367180.0000000002DFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: yavascript.exe, 0000000F.00000002.4487367180.0000000002DFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerzql
              Source: yavascript.exe, 0000000F.00000002.4487367180.0000000002DFE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00433E0A cpuid 0_2_00433E0A
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: EnumSystemLocalesW,0_2_004470AE
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetLocaleInfoW,0_2_004510BA
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511E3
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetLocaleInfoW,0_2_004512EA
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513B7
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetLocaleInfoW,0_2_00447597
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetLocaleInfoA,0_2_0040E679
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A7F
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: EnumSystemLocalesW,0_2_00450CF7
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: EnumSystemLocalesW,0_2_00450D42
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: EnumSystemLocalesW,0_2_00450DDD
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E6A
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0480144A
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetLocaleInfoW,0_2_04801551
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0480161E
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetLocaleInfoW,0_2_047F77FE
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: EnumSystemLocalesW,0_2_04801044
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: EnumSystemLocalesW,0_2_047F7315
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetLocaleInfoW,0_2_04801321
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_04800CE6
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: EnumSystemLocalesW,0_2_04800FA9
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: EnumSystemLocalesW,0_2_04800F5E
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: GetLocaleInfoA,0_2_047BE8E0
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoA,15_2_0040E679
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,15_2_004470AE
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,15_2_004510BA
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_004511E3
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,15_2_004512EA
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_004513B7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,15_2_00447597
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_00450A7F
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,15_2_00450CF7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,15_2_00450D42
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,15_2_00450DDD
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_00450E6A
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_0474144A
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,15_2_04741551
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_0474161E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,15_2_047377FE
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,15_2_04741044
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,15_2_04741321
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,15_2_04737315
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_04740CE6
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,15_2_04740F5E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,15_2_04740FA9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoA,15_2_046FE8E0
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,23_2_004470AE
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,23_2_004510BA
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,23_2_004511E3
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,23_2_004512EA
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,23_2_004513B7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,23_2_00447597
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoA,23_2_0040E679
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,23_2_00450A7F
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,23_2_00450CF7
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,23_2_00450D42
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,23_2_00450DDD
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,23_2_00450E6A
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,23_2_0482144A
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,23_2_04821551
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,23_2_0482161E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,23_2_048177FE
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,23_2_04821044
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,23_2_04817315
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,23_2_04821321
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,23_2_04820CE6
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,23_2_04820FA9
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,23_2_04820F5E
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoA,23_2_047DE8E0
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434010
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,0_2_0041A7A2
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044800F
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.4487367180.0000000002DAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2301983250.0000000002D27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2310830202.0000000002D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4487367180.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: advancePayment-pdf.exe PID: 6076, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6540, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data15_2_0040B21B
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data23_2_0040B21B
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: \key3.db0_2_0040B335
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\15_2_0040B335
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \key3.db15_2_0040B335
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\23_2_0040B335
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \key3.db23_2_0040B335

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983Jump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983Jump to behavior
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.yavascript.exe.48e0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.3.yavascript.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.47d0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.47b0e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.advancePayment-pdf.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.advancePayment-pdf.exe.4830000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.yavascript.exe.46f0e67.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.4487367180.0000000002DAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2301983250.0000000002D27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2310830202.0000000002D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4487367180.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: advancePayment-pdf.exe PID: 6076, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 3364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 6540, type: MEMORYSTR
              Source: C:\Users\user\Desktop\advancePayment-pdf.exeCode function: cmd.exe0_2_00405042
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: cmd.exe15_2_00405042
              Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: cmd.exe23_2_00405042

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts2
              Native API              		1
              Windows Service              		1
              Bypass User Account Control              		3
              Obfuscated Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts12
              Command and Scripting Interpreter              		11
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		12
              Software Packing              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              Service Execution              		Login Hook1
              Windows Service              		1
              DLL Side-Loading              		NTDS3
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script22
              Process Injection              		1
              Bypass User Account Control              		LSA Secrets33
              System Information Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
              Registry Run Keys / Startup Folder              		1
              Masquerading              		Cached Domain Credentials141
              Security Software Discovery              		VNCGUI Input Capture12
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Virtualization/Sandbox Evasion              		DCSync2
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt22
              Process Injection              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1553456 Sample: advancePayment-pdf.exe Startdate: 11/11/2024 Architecture: WINDOWS Score: 100 38 geoplugin.net 2->38 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 8 other signatures 2->50 8 advancePayment-pdf.exe 1 4 2->8         started        12 yavascript.exe 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\yavascript.exe, PE32 8->34 dropped 36 C:\Users\...\yavascript.exe:Zone.Identifier, ASCII 8->36 dropped 52 Contains functionality to bypass UAC (CMSTPLUA) 8->52 54 Detected unpacking (changes PE section rights) 8->54 56 Detected Remcos RAT 8->56 58 6 other signatures 8->58 14 yavascript.exe 3 14 8->14         started        18 WerFault.exe 16 8->18         started        20 WerFault.exe 16 8->20         started        24 5 other processes 8->24 22 WerFault.exe 12->22         started        signatures6 process7 dnsIp8 40 198.23.227.212, 32583, 49706 AS-COLOCROSSINGUS United States 14->40 42 geoplugin.net 178.237.33.50, 49736, 80 ATOM86-ASATOM86NL Netherlands 14->42 60 Multi AV Scanner detection for dropped file 14->60 62 Contains functionality to bypass UAC (CMSTPLUA) 14->62 64 Detected unpacking (changes PE section rights) 14->64 66 5 other signatures 14->66 26 WerFault.exe 14->26         started        28 WerFault.exe 14->28         started        30 WerFault.exe 14->30         started        32 5 other processes 14->32 signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              advancePayment-pdf.exe53%ReversingLabsWin32.Trojan.CrypterX
              advancePayment-pdf.exe62%VirustotalBrowse
              advancePayment-pdf.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\xenor\yavascript.exe53%ReversingLabsWin32.Trojan.CrypterX
              C:\Users\user\AppData\Roaming\xenor\yavascript.exe62%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gp1yavascript.exe, 0000000F.00000003.2280910047.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://upx.sf.netAmcache.hve.4.drfalse
                      		high
                      http://geoplugin.net/json.gp8yavascript.exe, 0000000F.00000003.2280910047.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://geoplugin.net/Byavascript.exe, 0000000F.00000002.4487367180.0000000002DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://geoplugin.net/yavascript.exe, 0000000F.00000003.2280910047.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://geoplugin.net/json.gp/CadvancePayment-pdf.exe, 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, advancePayment-pdf.exe, 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, advancePayment-pdf.exe, 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gplyavascript.exe, 0000000F.00000003.2280910047.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://geoplugin.net/json.gpSystem32yavascript.exe, 0000000F.00000002.4487367180.0000000002DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://geoplugin.net/json.gpOyavascript.exe, 0000000F.00000003.2280910047.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 0000000F.00000002.4487367180.0000000002DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    198.23.227.212
                                    		unknownUnited States
                                    		36352AS-COLOCROSSINGUStrue
                                    178.237.33.50
                                    		geoplugin.netNetherlands
                                    		8455ATOM86-ASATOM86NLfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1553456
                                    Start date and time:2024-11-11 08:59:06 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 10m 7s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:40
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:advancePayment-pdf.exe
                                    Detection:MAL
                                    Classification:mal100.rans.troj.spyw.expl.evad.winEXE@20/68@1/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 98%
                                    • Number of executed functions: 17
                                    • Number of non-executed functions: 382
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 4.245.163.56, 52.165.164.15, 20.42.73.29, 20.12.23.50
                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    03:00:22API Interceptor2x Sleep call for process: WerFault.exe modified
                                    03:00:44API Interceptor3738462x Sleep call for process: yavascript.exe modified
                                    08:59:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983 "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                                    09:00:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983 "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    198.23.227.212YESOHDKMIm.exeGet hashmaliciousRemcosBrowse
                                      NujUXO42Rg.exeGet hashmaliciousRemcosBrowse
                                        ZeaS4nUxg4.exeGet hashmaliciousRemcosBrowse
                                          documents-pdf.exeGet hashmaliciousRemcosBrowse
                                            1kZ9olJiaG.exeGet hashmaliciousRemcosBrowse
                                              ltlbVjClX9.exeGet hashmaliciousRemcosBrowse
                                                178.237.33.50RFQ-24064562-SUPPLY-NOv-ORDER.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • geoplugin.net/json.gp
                                                rPO3799039985.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • geoplugin.net/json.gp
                                                qy8i3kM2Ir.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                • geoplugin.net/json.gp
                                                ORDER#73672-MAT37367.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                Image_Product_Inquiry_Request_Villoslada.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • geoplugin.net/json.gp
                                                CEBI_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • geoplugin.net/json.gp
                                                Quotation Request #100028153.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                asegurar.vbsGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                rIMGCY46473567583458675867864894698467458.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • geoplugin.net/json.gp
                                                RAINBOW_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                • geoplugin.net/json.gp

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                geoplugin.netRFQ-24064562-SUPPLY-NOv-ORDER.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                rPO3799039985.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                qy8i3kM2Ir.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                • 178.237.33.50
                                                ORDER#73672-MAT37367.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                Image_Product_Inquiry_Request_Villoslada.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                CEBI_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                Quotation Request #100028153.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                asegurar.vbsGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                rIMGCY46473567583458675867864894698467458.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                RAINBOW_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                • 178.237.33.50

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                AS-COLOCROSSINGUShttp://192.3.220.22/430/dllhost.exeGet hashmaliciousUnknownBrowse
                                                • 192.3.220.22
                                                camp.mips.elfGet hashmaliciousMiraiBrowse
                                                • 198.12.107.126
                                                camp.ppc.elfGet hashmaliciousMiraiBrowse
                                                • 198.12.107.126
                                                yakuza.mips.elfGet hashmaliciousUnknownBrowse
                                                • 23.95.39.191
                                                Inquiry HA-22-28199 22-077.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 107.174.244.110
                                                seethebestthingswithentirelifetaggreatwithmebestofthem.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                • 107.175.130.36
                                                creatbesthingswithbettersytelgivenmebestthingstobe.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                • 192.3.193.146
                                                Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                • 192.3.193.146
                                                8DyqLn07Y2.elfGet hashmaliciousMiraiBrowse
                                                • 198.12.107.126
                                                Quotation Request #100028153.exeGet hashmaliciousRemcosBrowse
                                                • 198.46.178.142
                                                ATOM86-ASATOM86NLRFQ-24064562-SUPPLY-NOv-ORDER.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                rPO3799039985.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                qy8i3kM2Ir.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                • 178.237.33.50
                                                ORDER#73672-MAT37367.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                fK4N7E6bFV.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                Image_Product_Inquiry_Request_Villoslada.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                CEBI_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                Quotation Request #100028153.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                asegurar.vbsGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                rIMGCY46473567583458675867864894698467458.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_advancePayment-p_21dd133a24a69b6393c5731e2239d52f7a021_3ce1fc36_10dd7e49-95de-409b-a41f-ad6415810632\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.0124715564420297
                                                Encrypted:false
                                                SSDEEP:192:S89bdSrTmyO0BAjc/DjueZrsLedzuiFkZ24IO8mgN:TdSrTmy1BAjc/DjTzuiFkY4IO8mgN
                                                MD5:19F3E79F7DA36BFA89EA5E886C7D0653
                                                SHA1:7D2035E642E98C9A113D00AF167D5957399716CD
                                                SHA-256:24C324A8B78B4ABA0FB2E91F78B5065688B0599AE05815965BE7717CBCE5F9B1
                                                SHA-512:4A26E99944C8D01FE42A9FDD8CB1D7744A7873F8F91B884F3FEBE5147F96FDED058C6A5C8AC4268EDD1FA4EC69EAD5280F3B14F860C97FC45DC11CD8607A954D
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.0.3.7.6.5.0.9.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.7.8.5.6.0.4.4.6.8.2.1.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.d.d.7.e.4.9.-.9.5.d.e.-.4.0.9.b.-.a.4.1.f.-.a.d.6.4.1.5.8.1.0.6.3.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.f.c.d.b.0.f.-.0.d.2.2.-.4.f.4.b.-.a.e.7.7.-.8.1.c.0.f.3.8.2.0.9.d.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.b.c.-.0.0.0.1.-.0.0.1.4.-.a.2.b.e.-.8.2.b.1.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.6.f.c.2.e.3.c.1.1.a.6.6.1.5.0.a.c.d.6.e.6.1.2.f.b.e.a.6.c.e.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_advancePayment-p_a6e73c77e8dd195269325590bc71a1eb1f328cd_3ce1fc36_25d30314-28cc-4caf-b822-0cb10d5d3118\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9303052814439555
                                                Encrypted:false
                                                SSDEEP:192:kqGdSrTly3Q056rO/DjueZrsrzuiF/Z24IO8mgN:kFdSrTly3r56rO/Dj2zuiF/Y4IO8mgN
                                                MD5:CDFF3AAB318DD7C567C3E9C7B1288FE9
                                                SHA1:F0044DC93ED276FCBD84C34FE05C7F16802AC332
                                                SHA-256:9BB4DD790C29C58ADF9806D17F188FA2B296E955916E1401CE190DBECD0C47FD
                                                SHA-512:BA977F62D233BFE4E24EBB5A1585253E8E1BFD74CF5F4B915DA01397D582C841F42F0C901871F0A8396D4D3ED19ABF6F8356BF74D419EDBD881F342628C59FA2
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.5.9.9.1.9.5.0.9.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.d.3.0.3.1.4.-.2.8.c.c.-.4.c.a.f.-.b.8.2.2.-.0.c.b.1.0.d.5.d.3.1.1.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.1.0.6.6.a.f.-.c.0.0.0.-.4.b.9.0.-.a.2.c.5.-.8.d.0.7.6.f.7.f.6.1.2.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.b.c.-.0.0.0.1.-.0.0.1.4.-.a.2.b.e.-.8.2.b.1.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.6.f.c.2.e.3.c.1.1.a.6.6.1.5.0.a.c.d.6.e.6.1.2.f.b.e.a.6.c.e.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.a.d.v.a.n.c.e.P.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_advancePayment-p_a6e73c77e8dd195269325590bc71a1eb1f328cd_3ce1fc36_410c1e6b-44c1-4cd9-8426-3ad9eeee0406\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9301478055801473
                                                Encrypted:false
                                                SSDEEP:192:GdSrTwy3Q056rO/DjueZrsrzuiF/Z24IO8mgN:GdSrTwy3r56rO/Dj2zuiF/Y4IO8mgN
                                                MD5:3650DF015C896569999E3D5519B2374D
                                                SHA1:8FB0E75F5CF43F87E87C1E3D581C6A1FDA7A7831
                                                SHA-256:887F893BA1AE18B090BD97462C88170C54D58085D0B8C14CEAC2C1DEAAB38229
                                                SHA-512:8C37F9A49FA1AB6A6590C816C81AF641AA68DA9DC09804613D42A1EE8058258C92634828FE5949F9921E61DFB9B755A25E3D5DE6407638C4F0D362F854DA2BB7
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.5.9.8.4.6.4.3.4.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.0.c.1.e.6.b.-.4.4.c.1.-.4.c.d.9.-.8.4.2.6.-.3.a.d.9.e.e.e.e.0.4.0.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.1.1.c.6.7.6.-.7.9.6.2.-.4.3.6.0.-.8.3.1.6.-.d.9.2.0.0.4.5.f.3.b.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.b.c.-.0.0.0.1.-.0.0.1.4.-.a.2.b.e.-.8.2.b.1.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.6.f.c.2.e.3.c.1.1.a.6.6.1.5.0.a.c.d.6.e.6.1.2.f.b.e.a.6.c.e.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.a.d.v.a.n.c.e.P.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_advancePayment-p_a6e73c77e8dd195269325590bc71a1eb1f328cd_3ce1fc36_617b3798-94aa-4a64-8e5a-19d7f06e3a39\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9165733466032074
                                                Encrypted:false
                                                SSDEEP:192:IjdSrTsy3Q056rO/DjueZrsCzuiF/Z24IO8mgN:UdSrTsy3r56rO/DjnzuiF/Y4IO8mgN
                                                MD5:154A17859E437CFB1B573752828827FD
                                                SHA1:568C8DD658B8CDEE48D1E18442F9655057E133EB
                                                SHA-256:819FCEA84276784FC4974D247717798066247C6B3908F9BF485600597A9EABAC
                                                SHA-512:E987095B6E53F588776383C054BDEDB9C30A41BFDAD4612D1A6A96E04EA90B7187C564E8D51DE1C6747BC4D005BA4A8531E31353320C7AC03B240796F47ED486
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.5.9.7.7.8.8.3.4.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.7.b.3.7.9.8.-.9.4.a.a.-.4.a.6.4.-.8.e.5.a.-.1.9.d.7.f.0.6.e.3.a.3.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.9.6.c.2.1.0.-.a.5.f.2.-.4.3.b.3.-.8.f.c.2.-.d.a.f.c.2.b.b.f.1.0.6.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.b.c.-.0.0.0.1.-.0.0.1.4.-.a.2.b.e.-.8.2.b.1.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.6.f.c.2.e.3.c.1.1.a.6.6.1.5.0.a.c.d.6.e.6.1.2.f.b.e.a.6.c.e.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.a.d.v.a.n.c.e.P.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_advancePayment-p_a6e73c77e8dd195269325590bc71a1eb1f328cd_3ce1fc36_805de329-691d-4968-86ab-1ac5f28e51a7\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):65536
                                                Entropy (8bit):0.9299309714259157
                                                Encrypted:false
                                                SSDEEP:192:r+dSrTwy3Q056rO/DjueZrsrzuiF/Z24IO8mgN:r+dSrTwy3r56rO/Dj2zuiF/Y4IO8mgN
                                                MD5:A539018AC139ABE8E47D1F16BE7D77DE
                                                SHA1:4072E84A873C8D8F95239697A258050DAB8D455C
                                                SHA-256:E6CD8F2B530CC2317DACB69CA9B6EE5FF10DE4391D74A19C3EC878140F5684ED
                                                SHA-512:25FBE2AB061E0E1016BB6B9F214DA56A65EFD54CFFC640B37C674E297357977931ED2B263AB2ECEDB54EFFB444E9F34684533F8616E8292490E94899FDDBD3DD
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.0.1.3.6.6.2.7.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.5.d.e.3.2.9.-.6.9.1.d.-.4.9.6.8.-.8.6.a.b.-.1.a.c.5.f.2.8.e.5.1.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.6.1.7.8.e.6.a.-.1.3.f.d.-.4.4.d.0.-.a.f.d.1.-.b.3.b.0.7.1.0.a.c.c.6.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.b.c.-.0.0.0.1.-.0.0.1.4.-.a.2.b.e.-.8.2.b.1.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.6.f.c.2.e.3.c.1.1.a.6.6.1.5.0.a.c.d.6.e.6.1.2.f.b.e.a.6.c.e.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.a.d.v.a.n.c.e.P.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_advancePayment-p_a6e73c77e8dd195269325590bc71a1eb1f328cd_3ce1fc36_94ff8073-ce37-4543-8adc-78df00bdd8be\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9300010985930324
                                                Encrypted:false
                                                SSDEEP:192:pxdSrTSy3Q056rO/DjueZrsrzuiF/Z24IO8mgN:pxdSrTSy3r56rO/Dj2zuiF/Y4IO8mgN
                                                MD5:C0DEF4CDA2D7D039290BFD0E7C006254
                                                SHA1:821D5A1EF8F9106BBEE75C2C099468027FEA7232
                                                SHA-256:D91040A6326575A5767310757B09C9904256DFA22C7D22CEAE728CBE249E29DE
                                                SHA-512:788C9C74A56A51B0876583B633B2FA15DA6F710806EAB0FDF487A669AA959087064090C38DFB23363D3640E71A1DDCA091E8E686ADF72456EB3C0D3D6AE11575
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.0.2.5.8.6.1.2.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.f.f.8.0.7.3.-.c.e.3.7.-.4.5.4.3.-.8.a.d.c.-.7.8.d.f.0.0.b.d.d.8.b.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.8.e.c.f.d.8.-.6.0.9.d.-.4.9.4.d.-.8.3.b.e.-.9.7.9.4.7.d.7.d.3.a.a.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.b.c.-.0.0.0.1.-.0.0.1.4.-.a.2.b.e.-.8.2.b.1.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.6.f.c.2.e.3.c.1.1.a.6.6.1.5.0.a.c.d.6.e.6.1.2.f.b.e.a.6.c.e.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.a.d.v.a.n.c.e.P.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_advancePayment-p_a6e73c77e8dd195269325590bc71a1eb1f328cd_3ce1fc36_b31fc7ce-9c46-4a90-9a99-e9e8194e9ac3\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9302674870640142
                                                Encrypted:false
                                                SSDEEP:192:jbbdSrT7y3Q056rO/DjueZrsrzuiF/Z24IO8mgN:7dSrT7y3r56rO/Dj2zuiF/Y4IO8mgN
                                                MD5:1C3A05D797298FA34639AF309DD754F3
                                                SHA1:F03ABB72D70BE1C389D740329744A292A46906A9
                                                SHA-256:8CC7DA8E5C815D935D53DEA0D47C09114B280FDE4BECEF7888054FA44C5A132C
                                                SHA-512:4E472BB9CA07DC92810E15409C513567389360575D13A1B0D0847A46EE328EBFECF697F57996FD324C00EEE64B16019550E4DF7F0B58B40F9D82F0227C2C12FE
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.0.0.6.5.6.3.3.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.1.f.c.7.c.e.-.9.c.4.6.-.4.a.9.0.-.9.a.9.9.-.e.9.e.8.1.9.4.e.9.a.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.4.5.3.3.1.e.-.c.5.8.f.-.4.7.8.f.-.8.4.5.4.-.8.a.7.c.e.7.a.3.1.7.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.b.c.-.0.0.0.1.-.0.0.1.4.-.a.2.b.e.-.8.2.b.1.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.6.f.c.2.e.3.c.1.1.a.6.6.1.5.0.a.c.d.6.e.6.1.2.f.b.e.a.6.c.e.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.a.d.v.a.n.c.e.P.a.y.m.e.n.t.-.p.d.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.a.d.v.a.n.c.e.P.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_cb9e8521e7c37895e9e1b9d11c933ab2c259_3d1fa021_797c5747-6e24-427e-9e27-8609866616f8\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.8563443623872263
                                                Encrypted:false
                                                SSDEEP:96:h3pus16/H4ifMQXIDcQnc6rCcEhcw3rr+HbHg/8BRTf3Oy1EoqzIPtZrXOnmETkr:RpuF056rAjueZrizuiF/Z24IO8P
                                                MD5:93701F1179CCC2455F1A434E1BC2A651
                                                SHA1:144C598B080017DC5F64D62A92370138817F9894
                                                SHA-256:308D210664B5014FCB20E2B93BED4E0CB8E43291C38B64CD5DDB7E0BAB3DE1EF
                                                SHA-512:A567D637F053261E92A4883509C3C4C2D6AAF263834D8281554A6AEB298188DC83A486F15B69AD366575C0AB668F2C4C34A435FDDEC4E238E003FE020945A9C8
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.0.6.8.5.4.9.3.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.7.c.5.7.4.7.-.6.e.2.4.-.4.2.7.e.-.9.e.2.7.-.8.6.0.9.8.6.6.6.1.6.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.e.b.e.b.f.0.-.7.4.d.8.-.4.3.8.0.-.9.6.9.0.-.e.2.4.c.9.8.5.3.3.1.f.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.4.-.0.0.0.1.-.0.0.1.4.-.6.4.a.d.-.b.8.b.6.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.2.6.2.a.b.b.2.f.1.9.c.a.8.7.4.0.3.3.2.6.3.3.0.b.9.d.a.9.f.7.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_cb9e8521e7c37895e9e1b9d11c933ab2c259_3d1fa021_9d5d4fe6-6bce-46c4-9a90-ce5f066e016b\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9261274595340296
                                                Encrypted:false
                                                SSDEEP:96:D7hZkes16/H4ifMQXIDcQnc6rCcEhcw3rr+HbHg/8BRTf3Oy1EoqzIPtZrXOnmEa:HhZkeF056rAjueZrbfzuiF/Z24IO8PU
                                                MD5:EBEC6726428B90726B7A271E183B3507
                                                SHA1:FA362E616AD5CDB4E66E17174034CB8F9DAF07D0
                                                SHA-256:8991DEE5075D5507640F830265D532E1E5FB0CB4F4684D9F6330AF3F69D75D25
                                                SHA-512:A101EA17BB2FB1E8FADFB4244AA30362F8976C9649864D2ACF1B885EC9CE3E25A26EA75E5524DE57D0BD748945087265B3D4237BD4786DF8F8D42A6B945468EF
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.1.4.6.9.7.7.5.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.5.d.4.f.e.6.-.6.b.c.e.-.4.6.c.4.-.9.a.9.0.-.c.e.5.f.0.6.6.e.0.1.6.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.1.e.9.3.2.8.-.7.9.c.3.-.4.e.4.1.-.9.c.9.8.-.1.4.c.3.e.6.4.1.3.c.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.4.-.0.0.0.1.-.0.0.1.4.-.6.4.a.d.-.b.8.b.6.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.2.6.2.a.b.b.2.f.1.9.c.a.8.7.4.0.3.3.2.6.3.3.0.b.9.d.a.9.f.7.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_cb9e8521e7c37895e9e1b9d11c933ab2c259_3d1fa021_b8321640-3c4e-479c-a572-eacab0939f7c\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):65536
                                                Entropy (8bit):0.8905650445553115
                                                Encrypted:false
                                                SSDEEP:96:hk0us16/H4ifMQXIDcQXc6duAskcERcw3duAsN+HbHg/8BRTf3Oy1EoqzIPtZrXI:RuF0JsAnbcAPjueZrbrzuiF/Z24IO8P
                                                MD5:B89E48DF4A5BBA8C18DF6DE421C21983
                                                SHA1:D289F84B001DB891A28A96F894E9E056E45C1C7F
                                                SHA-256:CCE0A336C16ACC6A39C4ABEE716C87E93D36AB44B52C6F4230642C08A05FA391
                                                SHA-512:59E50E72497E4EFCB65114F84DAB248AC67355325184C02B44474315EC7C791F641A366E2243AE62FCDAB19F446A3FBE9607DC2DFBED2BFBCF42F92C0FD352B8
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.1.0.2.6.4.0.9.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.3.2.1.6.4.0.-.3.c.4.e.-.4.7.9.c.-.a.5.7.2.-.e.a.c.a.b.0.9.3.9.f.7.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.0.9.9.2.3.2.-.9.a.9.5.-.4.1.e.7.-.a.f.5.0.-.4.d.1.f.e.d.6.c.5.0.c.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.4.-.0.0.0.1.-.0.0.1.4.-.6.4.a.d.-.b.8.b.6.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.2.6.2.a.b.b.2.f.1.9.c.a.8.7.4.0.3.3.2.6.3.3.0.b.9.d.a.9.f.7.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_cb9e8521e7c37895e9e1b9d11c933ab2c259_3d1fa021_c2336106-df12-44de-800d-8d8ae179d732\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.8904289664787335
                                                Encrypted:false
                                                SSDEEP:96:Dvns16/H4ifMQXIDcQnc6rCcEhcw3rr+HbHg/8BRTf3Oy1EoqzIPtZrXOnmETkKf:LnF056rAjueZrbrzuiF/Z24IO8PL
                                                MD5:E56B9F4C0F24267749546264FD8A058C
                                                SHA1:2C76A3C56CA86F3A578CC8991D12324980E4A75D
                                                SHA-256:7E0EEE37A5B2B28F3A2C9373650584A0E6F1ECB5F8EE1C6410BA355502CF2814
                                                SHA-512:DED0225AF407ABDB186453687B644CDF9D2311B235CED96A8BCC0DA439A23D56854A912ECD30FF661A5C51FAA4DFEAD288F245337D7B2ACF871FECDB08AE7959
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.0.9.3.7.2.1.1.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.3.3.6.1.0.6.-.d.f.1.2.-.4.4.d.e.-.8.0.0.d.-.8.d.8.a.e.1.7.9.d.7.3.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.3.a.0.c.a.4.-.9.3.e.f.-.4.0.2.8.-.9.e.2.a.-.d.2.f.1.1.3.a.4.6.6.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.4.-.0.0.0.1.-.0.0.1.4.-.6.4.a.d.-.b.8.b.6.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.2.6.2.a.b.b.2.f.1.9.c.a.8.7.4.0.3.3.2.6.3.3.0.b.9.d.a.9.f.7.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_cb9e8521e7c37895e9e1b9d11c933ab2c259_3d1fa021_c9169b71-ad8a-4fd2-ac17-2c32b0f627b5\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.8633300469987892
                                                Encrypted:false
                                                SSDEEP:96:V/bGns16/H4ifMQXIDcQnc6rCcEhcw3rr+HbHg/8BRTf3Oy1EoqzIPtZrXOnmETe:dbGnF056rAjueZr0zuiF/Z24IO8P
                                                MD5:559E04E699F918F16E1304EF4CA31B74
                                                SHA1:3E1F5AD1B905CE7A878B273C83C9FE45EF1BAA3C
                                                SHA-256:9CCAEB46C5642BE99659C3642C88D20AD5DA6C827CBFE76B30CD07AB104CCF1C
                                                SHA-512:07BC8F6E3FACE40383C4866366026348E4686A5129C3364982CD9094CEC3ACCAB93EDC66ED43476BD028CC481D672DC4FD45ED4D51FC5961AF307AF60E334A53
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.0.7.4.7.9.3.4.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.1.6.9.b.7.1.-.a.d.8.a.-.4.f.d.2.-.a.c.1.7.-.2.c.3.2.b.0.f.6.2.7.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.9.d.d.a.4.c.-.6.8.8.9.-.4.a.e.8.-.9.1.b.4.-.6.a.7.f.a.6.6.9.e.c.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.4.-.0.0.0.1.-.0.0.1.4.-.6.4.a.d.-.b.8.b.6.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.2.6.2.a.b.b.2.f.1.9.c.a.8.7.4.0.3.3.2.6.3.3.0.b.9.d.a.9.f.7.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_cb9e8521e7c37895e9e1b9d11c933ab2c259_3d1fa021_ca073330-0674-4507-bfd9-2520610c4aa8\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9257521371249308
                                                Encrypted:false
                                                SSDEEP:96:JqQmys16/H4ifMQXIDcQnc6rCcEhcw3rr+HbHg/8BRTf3Oy1EoqzIPtZrXOnmETB:QQFF056rAjueZrbfzuiF/Z24IO8P
                                                MD5:5ECBBE48D23DC8811C8606DFE2748754
                                                SHA1:270C24035E5BAF6CD980DCEF40B8F231738282D2
                                                SHA-256:66490B5313EE333B776141463B66C2B8AE7C86403EA8CA96C21E4E864935CF77
                                                SHA-512:3D794933C2557270961A9FBBA083E77DFA22D9B5747F075C5DB309D74560C9147BE9D4FEE94D843D0EC2D263D1A56DBF11AFEDC644CA9067FD91465EAE297DD1
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.1.5.7.7.6.1.8.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.a.0.7.3.3.3.0.-.0.6.7.4.-.4.5.0.7.-.b.f.d.9.-.2.5.2.0.6.1.0.c.4.a.a.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.8.8.5.2.3.a.-.8.c.b.b.-.4.a.a.d.-.a.a.f.2.-.e.b.e.6.8.1.e.b.b.2.d.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.4.-.0.0.0.1.-.0.0.1.4.-.6.4.a.d.-.b.8.b.6.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.2.6.2.a.b.b.2.f.1.9.c.a.8.7.4.0.3.3.2.6.3.3.0.b.9.d.a.9.f.7.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_cb9e8521e7c37895e9e1b9d11c933ab2c259_3d1fa021_f12387cd-48e8-4459-8c26-0660ade4aa5c\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.8906890019770819
                                                Encrypted:false
                                                SSDEEP:96:XoH4s16/H4ifMQXIDcQnc6rCcEhcw3rr+HbHg/8BRTf3Oy1EoqzIPtZrXOnmETku:Q4F056rAjueZrbrzuiF/Z24IO8PP
                                                MD5:4B952CAC0E4696D8FB7B1A1F66C6EB80
                                                SHA1:8E1A18CAB88BC9E10A98A28F89DCE032E125C408
                                                SHA-256:2B5821791AC5E533A72318300643B67327D4A1E54A8F022F67BE257BD602AAFC
                                                SHA-512:D2DCADADCA8C0EE4F8F46B53D1223BD59EEA4CAD059BB9005BAE3303ACFE2C02F615563B344F196391E5D53ACA66D8E31EA52629C56B3C573FC0E6E22BAFC379
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.1.1.6.7.8.7.3.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.2.3.8.7.c.d.-.4.8.e.8.-.4.4.5.9.-.8.c.2.6.-.0.6.6.0.a.d.e.4.a.a.5.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.a.7.b.6.a.1.-.c.1.1.f.-.4.6.5.0.-.a.9.7.f.-.c.2.6.0.8.f.3.3.5.e.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.4.-.0.0.0.1.-.0.0.1.4.-.6.4.a.d.-.b.8.b.6.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.2.6.2.a.b.b.2.f.1.9.c.a.8.7.4.0.3.3.2.6.3.3.0.b.9.d.a.9.f.7.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_cb9e8521e7c37895e9e1b9d11c933ab2c259_3d1fa021_f9ff4054-6b76-475c-9131-11dd6603d4bf\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9260098285971679
                                                Encrypted:false
                                                SSDEEP:96:bFgbs16/H4ifMQXIDcQnc6rCcEhcw3rr+HbHg/8BRTf3Oy1EoqzIPtZrXOnmETki:mbF056rAjueZrbfzuiF/Z24IO8P
                                                MD5:B167BCB12A4FDA703F5007A865963DFF
                                                SHA1:6C1FFC921C074DEE701B4E25C12138EA26CFF710
                                                SHA-256:539764DBD2A95FAA1F6BA5B4C7C4BCAC7EA03BFF836DF00C4A153BD32830F8EF
                                                SHA-512:E62B33AF79A6950BF275827270CDD0F4A22CBD34A69003E93DB0CC604D5661086F0D350C13E3E056A058BD6E3C5F0E5E38409B81F3DB47483DE8D92C2A0FE5C6
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.1.2.8.0.5.8.1.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.f.f.4.0.5.4.-.6.b.7.6.-.4.7.5.c.-.9.1.3.1.-.1.1.d.d.6.6.0.3.d.4.b.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.f.1.8.6.9.9.-.9.e.3.c.-.4.e.9.8.-.a.4.a.8.-.2.c.0.2.1.2.8.a.3.8.f.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.4.-.0.0.0.1.-.0.0.1.4.-.6.4.a.d.-.b.8.b.6.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.2.6.2.a.b.b.2.f.1.9.c.a.8.7.4.0.3.3.2.6.3.3.0.b.9.d.a.9.f.7.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_e57661b3e8bddd37812fc662ec48a54212a4ff1_3d1fa021_e18740a6-a3fa-4b53-9038-0e1706eb0a23\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.8530285149281172
                                                Encrypted:false
                                                SSDEEP:96:kguj5T2s16/oH7Jf3QXIDcQAc6CcEPcw3I+HbHgnoW6HeOyu9oVazWtZrwnVfEoP:huj5T2z0OGFljzkZrqzuiFkZ24IO8P
                                                MD5:F7CCA1B14FFE58507879E434E57B2DB2
                                                SHA1:EBB32EF81897EE8637E41257E19612CC9132083D
                                                SHA-256:0D938BFAFA9B4A5CEE0789C4340BEE84495C4EFC696C0C1E6EEE137E5ECF2B72
                                                SHA-512:4E2B2F07164E7EC1B3E174242ECC1DAE3E00482AD57F19515A5AC877A1FE3B17710DF3C25FF93CD9F792ECECB4E5BEF50248AED79F6B779D2F6DB99DBACD09EE
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.8.5.6.1.3.1.7.4.3.2.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.7.8.5.6.1.4.4.0.8.6.8.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.8.7.4.0.a.6.-.a.3.f.a.-.4.b.5.3.-.9.0.3.8.-.0.e.1.7.0.6.e.b.0.a.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.2.a.6.1.6.1.-.0.3.b.f.-.4.8.a.5.-.b.8.9.e.-.0.5.3.e.9.e.b.5.c.0.f.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.8.c.-.0.0.0.1.-.0.0.1.4.-.4.3.9.8.-.f.c.b.9.0.f.3.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.2.6.2.a.b.b.2.f.1.9.c.a.8.7.4.0.3.3.2.6.3.3.0.b.9.d.a.9.f.7.0.0.0.0.5.6.0.2.!.0.0.0.0.9.7.7.f.8.4.0.7.a.7.0.3.3.b.2.0.b.9.6.f.e.c.6.8.6.e.9.1.8.c.1.7.7.1.6.0.a.e.9.2.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DF6.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 07:59:57 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):55208
                                                Entropy (8bit):2.230678644676912
                                                Encrypted:false
                                                SSDEEP:384:tBVDkoknSE8NyhzatxD9gD/DkDjjU8iTaXh:tBVgBnV8IQjg7gDvRR
                                                MD5:BF355329382FCF237636C8A289FDED87
                                                SHA1:F4B40237662544C134409557DF86AE25D369EDE3
                                                SHA-256:ADC1DB505A6EE639A472ACFA0FC6511A0E773CF17B6BAAE8FFAF874DAFE764E9
                                                SHA-512:886C84872BF320AD27619AF82523F44A80E3CC19D6D97204D4911FCBC29D8470B0EEF1C300371D7822BBCE1DE66DB2AE0FA7E93BF0109888B7D4318FA3B8837B
                                                Malicious:false
                                                Preview:MDMP..a..... .......}.1g....................................D..../..........T.......8...........T...........@%..h...........`...........L...............................................................................eJ..............GenuineIntel............T...........z.1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E94.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8378
                                                Entropy (8bit):3.696295384886167
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJwOB666YEIvSU9dHVgmfMDWOpBO89bXfsfRdm:R6lXJwY666YEwSU9FVgmfMDWOXEfi
                                                MD5:8919F86C83844984736A50E650C757F0
                                                SHA1:6ED1A26554887AFE89B02E6D28C53A4CB88E6D52
                                                SHA-256:776B974D934F2EC8157D44852EA2DEAB25FC603CCAD36DB757450E696921F0A0
                                                SHA-512:583A40AF84E2F4564A50E2BE59AA7EA0DCE29E482AF13E889B2E79648DBCBBE0B8F1EAC8C7D31ACDDA172D2F613D155B5E6A6CDA74B9C5EACEC026414E6FD382
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.7.6.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EB4.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4639
                                                Entropy (8bit):4.460866243902158
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VY+Ym8M4JduZFo+q8aNLJ6ZEd:uIjfPI7e27VGJUUBLJ6ZEd
                                                MD5:8E965A721567F0F1379323E0DB029811
                                                SHA1:F07E5A72E9D18FD9102BE81012040B819A56F21D
                                                SHA-256:BE6E8D927A4ABC4BC026FAE1D164A8223F33C35CEFF9F9BA85F23B32BABE3584
                                                SHA-512:229C48C7D4656FCC79F167294498667212A834FCAE1EF012E9AD677B2CCEBF4EFE3CE57B6AB6EC56A245DE1D703966AB540F5E7B9618F652F932346DEF4B6620
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6096.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 07:59:58 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):83064
                                                Entropy (8bit):2.3138027773081937
                                                Encrypted:false
                                                SSDEEP:768:Qo44Oh7+n+wkNOa3tMTRc1Wdt9CoDvu3CwV:fOQkNRMTgWdt9CoDv0LV
                                                MD5:CF330BAC77DC454B13637FD99402C664
                                                SHA1:39D2229E8C6544BEE141A85E42A459B4348A20BA
                                                SHA-256:C2A8CAC7875D6106190D681BEF870465808D9871D6004E38E924B09C08566BC3
                                                SHA-512:1F375959B5CD725D1EA38CB006E0F5A47DC5AB0358920CF4B32CD9EE7417179B01D6B219BFE1798A39A641DEC62E7E44699D25A4AE0CD370A1B7B8546F7CD5F8
                                                Malicious:false
                                                Preview:MDMP..a..... .......~.1g............T...........l...\.......4....9..........T.......8...........T............*..........................................................................................................eJ......L.......GenuineIntel............T...........z.1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6124.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8378
                                                Entropy (8bit):3.694862771201657
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJwO/691ge6YEIhSU9dHVgmfMDWOpBP89bAfsfuAm:R6lXJwm69r6YE+SU9FVgmfMDW5AEfg
                                                MD5:2EDB796B452D5D15E407DDA63BB207E8
                                                SHA1:0D5A05EFF0FA2D62C4EDD93D185BE1A4598AD717
                                                SHA-256:A5A6888B6C0C20F9196A76315285D2B83979FBF0F465B96FAEDAF98559235515
                                                SHA-512:0AF7A1265314C53ED66F6DA958F65834644A8356BFFFB35179FA7C713980923E97EA6AD34394F4A0832B2681A942253CD9D8E97189E5628A1CCF9308F28FAFCF
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.7.6.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6134.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4639
                                                Entropy (8bit):4.462440135512575
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VY0vYm8M4JduZFS+q8aNLJ6ZEd:uIjfPI7e27VHyJU+BLJ6ZEd
                                                MD5:1C2C7D7D32DE432BE0A6ACD8050B98E6
                                                SHA1:D94CD6606DB393DB4EC80D0BE95DC7ADE993AAAE
                                                SHA-256:00FDD36E53A12B2FD9F5A0AAEE23FA55A478137B0541D7DFB5497CAA937FCA44
                                                SHA-512:8140742226918BBCE1149A8357A0056AA643CC37A9870C45B1131D35786EADFABE92268CFEDA418A48F2AE1BECAF150A31DC2875BD00C1A40D7FF0795DB8A19F
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6394.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:00 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):81368
                                                Entropy (8bit):2.290578688211289
                                                Encrypted:false
                                                SSDEEP:384:g04Oh73knLktI7jCa3HgFjAFOjjBWS7j5Ut9CBkPDjjU3i1FJccxrW:g04Oh70nLkt6OaSiOj1Wdt9CoDvpBr
                                                MD5:C1849DB60322847F6FED7917A8532E64
                                                SHA1:81890EF02DB3ACEBF6D0CF3A48914E92FE7C7D9E
                                                SHA-256:04F5BC7A729D0A5E3924DE221C00B196200D3F9B53E93A809B9AEB521B401759
                                                SHA-512:DB978CE6017CC9AF51136EC033C34FEF0D3D0E5EB70A4205C804828A8CAE2C5324F5B4D698199AF25E7D7AEA536CC0BB5DF33CF3C98533A900ACF3ED43147DC7
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g............T...........l...\.......$....9..........T.......8...........T...........@*..........................................................................................................eJ......L.......GenuineIntel............T...........z.1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER672F.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8378
                                                Entropy (8bit):3.6941206990062647
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJwOy6Sqge6YEIkSU9wHcgmfMDWOpBM89bOfsfuqZam:R6lXJwr6J6YErSU9ucgmfMDWQOEfuk
                                                MD5:1E7C9BDAAE1F3BDDC8152CF17240989B
                                                SHA1:DB413F8E182DF97D75CB0DB3CC137B514EAC0B64
                                                SHA-256:D703B14718F0DE59FC9EC9DB1849850016C12AA07A12E4AC96E8C1CE364EEC6E
                                                SHA-512:6E49299520BC4AB4C9C53DC4297B79095ED9818BDCF26C7F18AE0E55EBA8735A8F868F18CA21393F4B6A0A24071CFAD497AFF9FC4B67FC1038B106F6ECED9B2E
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.7.6.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER675F.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4639
                                                Entropy (8bit):4.4580324759565055
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYwYm8M4JduZFj/+q8aNLJ6ZEd:uIjfPI7e27VwJU//BLJ6ZEd
                                                MD5:E32971CCB17561B1CC61DCAB3F8AD97E
                                                SHA1:070C1FF9FEDD7A50342F68886CB61F2C3D8AADEA
                                                SHA-256:CE8372913D36AE5C81B46E087820E4F37EFDE934A4E84C3D80335D386B832DDD
                                                SHA-512:23CC50209E7F796218E2306C9190A472BCF914251C5DD319144B0912AA360B0BA3078FF0B8E0430E379FFDC9D56DD552A091F55521B2D415FAD6F1EE48F10723
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6931.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:00 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):81260
                                                Entropy (8bit):2.311869229913316
                                                Encrypted:false
                                                SSDEEP:768:94Oh7InKUbEM07SuFU1Wdt9CvDvLrVoU:6Oebf0BOWdt9CvDv/VB
                                                MD5:B6943786EC6E75890FF3A4C1BCE410C3
                                                SHA1:E598A7BF58B6BE3A43A977501F3B2B2DEED71C41
                                                SHA-256:6FD23B94EDC8544B941B4D4DF0357B75CA9CD7C0AF06972FA75E9A9DEE482B5F
                                                SHA-512:733B5C61A24352A47F3FB1EC5E86AF2BF266383CE22BC36D489E6838AB171BED3872C89F39C421DF52E1E9A88138B36B6C9F325B99F6A1F80D1EDFB2827DFBC5
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g............T...........l...\.......$....9..........T.......8...........T............*..........................................................................................................eJ......L.......GenuineIntel............T...........z.1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER69DE.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8378
                                                Entropy (8bit):3.695803655501666
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJwO86B6YEIkSU9/rH0gmfMDWOpBB89bOfsf7am:R6lXJwV6B6YEbSU9b0gmfMDWnOEfX
                                                MD5:6DE7FE7F8788EA44FE415F91CD71F182
                                                SHA1:3D58A8AB3FE20E60A66760C33175FDCFFD6AF85A
                                                SHA-256:B62D4C6353727625719F21D5845A3521E1E15D69E8523087A14F987E5EA4F17F
                                                SHA-512:EA15AEB002779E6A03D2A3BFF44C33B9A02529510A64D8FE63CCF00229A970391E6609A0F9D9F1C285E21644895BAA27C45CAAD92EBBC7E869EB53C042A14FF6
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.7.6.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER69FE.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4639
                                                Entropy (8bit):4.462885650376421
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYAYm8M4JduZFq+q8aNLJ6ZEd:uIjfPI7e27VUJUOBLJ6ZEd
                                                MD5:18C7A7436FD9FC8E2B36F4A0E150BB59
                                                SHA1:D675323874119CB0526E9C77F6F838887452BFAD
                                                SHA-256:E30FAB8833E65BE60D49504970A8016CB08AF79011737561737DC5F847A33882
                                                SHA-512:DEDF8C4FA83D9C01E7EE1A285371CF78FEC486F135F54056AD696528C216F4C2947880D0377C35AE34FD334A6F4F416C2505F41FE9DE40665DFAF04DC7E704BA
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BF0.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:01 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):88270
                                                Entropy (8bit):2.054576037684484
                                                Encrypted:false
                                                SSDEEP:384:htPFqIfKknieN0AhzsPwAfOj0t+p4OiDjjU3Kq/UWW2oO1R0S:htPFqIfrniehsrrt+KOiDviUf8SS
                                                MD5:9B8E295440EC53B79A425C6301B5B9DA
                                                SHA1:EEE9286415E0B5CCD9E69F9818F85F94EF96ABCA
                                                SHA-256:EABFB7F0302377E2C3E26EA747DE09EF22CBE7E50BAE34F101E8F395C0801843
                                                SHA-512:DE727F3CB253FDEAB2D0681272E15F86CCBE6D76FF8B267396EBED08C5EFBA3EB42E8E5E446A8498E65B5E880C3E4DE30469B3C09C74FD4F70868DE7F1BB346A
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g........................l................?..........T.......8...........T............+..&-..........(...........................................................................................eJ..............GenuineIntel............T...........z.1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CAD.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8378
                                                Entropy (8bit):3.696226397123264
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJwOI6f6YEI+SU9EH0gmfMDWOpBM89bXfsfUdm:R6lXJwR6f6YEhSU9K0gmfMDWwXEfD
                                                MD5:027DD3DAF40F07DFD154BA0355DC8723
                                                SHA1:A89AF6A890F9249597DBE81DEE63DA0F9932D507
                                                SHA-256:31793D92735742F4361C75E54EC4545B024DE11F5DBFE6D6F3FE0D5C5D0FA559
                                                SHA-512:B19852A7C14971334158C183A32C93E4345A1C6EB7BFD32EA35A8D362D0C0266D11A8B3AC0E0C62EA33B724338565D74CE854B4CF88F2F63AB9B19667E2D10A3
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.7.6.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D1B.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4639
                                                Entropy (8bit):4.458937304285423
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYKYm8M4JduZFI+q8aNLJ6ZEd:uIjfPI7e27VyJU0BLJ6ZEd
                                                MD5:4D3CE279B6AE3D17893E9BF3471BEB4E
                                                SHA1:6159D8E557555C29A60615CCB0028506D06934D6
                                                SHA-256:4BF177C5F39E8C008F1129B97ACE50A6FF81DEE37F24105C7EE3E42AF24CB277
                                                SHA-512:C2A7ED0F48A8C1F4EDCBBDBCA6B532D782D8171DE01D8483A64FDE9859045542E6A2CCFAB3E59E0F2D6AC03F1651F947D985267C956C1CDE5E64CDA0A4AB4FA9
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER70E2.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:02 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):87846
                                                Entropy (8bit):2.066008608248576
                                                Encrypted:false
                                                SSDEEP:384:+PFqIfaxYkns+uR2ThzPYo3fwAgOj0sZp4OiDjjU3a7oZgaCpwNVdq:+PFqIf0xns+IY0KkrsZKOiDvcquHc
                                                MD5:61EDE09F0A3F5E87A9FB4F2F40099CBD
                                                SHA1:D483CCDFF1A99F7108B930D1DF4CFB86D9D84D2A
                                                SHA-256:832B748C321D133CDAFD252F2AA406BD0BCB920098CE38F8054B429AEF033985
                                                SHA-512:E49AF4D22AFE5FA59E0C5C45E7C727650CD37FC5BDDDCAB7E1D9AC41444413DC4BD83D5A44951A4208BAA7B3DBA4EB17BEC02F896A1AD0BB7114DA59746A6B98
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g........................l................?..........T.......8...........T............+..~+..........(...........................................................................................eJ..............GenuineIntel............T...........z.1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER71FC.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8378
                                                Entropy (8bit):3.696104258095061
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJwOW676YEIASU9SHogmfMDWOpBG89bcfsfDS0m:R6lXJwv676YEvSU9oogmfMDWmcEfDA
                                                MD5:C78034EC3F3AAAD0476EFAF49EAE25F6
                                                SHA1:BB63635CA4DA04BF35EFD0791B9A55C4D6CB49AD
                                                SHA-256:2ABE53AC110F4BF1F873F131DF9FD05272EDFD2C652E4B75D4D7CDB0AB889B35
                                                SHA-512:9A177AAA0C3C0B1133AF085694D56294DD68BD50C99323ACF4125E75C86C52FBD97A7CB92028B616EB0AE4E53C0428C696B1704B3833A8FC5489ED4244EB48EB
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.7.6.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER721D.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4639
                                                Entropy (8bit):4.460621689166176
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYuYm8M4JduZFm1W+q8aNLJ6ZEd:uIjfPI7e27VSJUXBLJ6ZEd
                                                MD5:D99A9DDABD3143DF1DD74D3B2DC88A38
                                                SHA1:436EE9A7BD44BB1C50C6FE5889FCD9487A25FFE7
                                                SHA-256:0228458A8DA9C1F377914D7742D470A169986928CA650E3307A75707A7CD967C
                                                SHA-512:59BED3B9A3DA5C3FF0CDA4BA326ED5362F28A20CFE80BA5F80D42B2D89176612EC60BFE1A6F70D1A682C8411C4A47E74EA3AF9BD9352493E4489D3A7278685D4
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER7557.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:04 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):37452
                                                Entropy (8bit):2.4904379728946346
                                                Encrypted:false
                                                SSDEEP:192:xliEX6Xr4RlXB8xOzYCFuPF+akRReiyB0qXPZI/9Fe8eHPxtD:CB4RH8kn4F+ak63R4gD
                                                MD5:E2DEA5EC7B23B3BC1DFCD05AAEB57FBB
                                                SHA1:E673CF07BFC364ADDDED033B0B759277C7961DFB
                                                SHA-256:AC10D909C24DD2CF0BD903509BE447AAC34F92DC8BF04A41E982CFC434A7567A
                                                SHA-512:409185ABF2070376B18A0EDA26CC41B142346CC6F3432B60360888EE4521B929BE95A7AB0D3FFE6DC62749B2C073A2C458D7EE4A07A673328FC01B2FDCA21D90
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g............4...............<.......D....-..........T.......8...........T...........H1...a....................... ..............................................................................eJ......d!......GenuineIntel............T...........z.1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER7671.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8404
                                                Entropy (8bit):3.6997224412024146
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJwOD6l6YEI5SU9wHogmfMgPupDr89bqfsfcT9HOm:R6lXJwa6l6YEGSU9uogmfMgHqEfcx
                                                MD5:C800D54901452DF4854CAA59CF410829
                                                SHA1:C6B91F89D6C904783F4E0B6F2FBBBC7EA46A4197
                                                SHA-256:E30906AF42389A6375E9061634457B6570297120FE9DF024D495EC1FC105C9FA
                                                SHA-512:3961ECDDA2B9EA25A726EDF6157926A76DBA8226ED9D36DC12A6610BA3EAA1020B287BEBE7193251F9098F4E9CF216AABE2756072E8FB7539211313FD4F32D4E
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.7.6.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER76A1.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4665
                                                Entropy (8bit):4.490609750736936
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYOYm8M4JduOqFxe+q8d2O8J6ZEd:uIjfPI7e27ViJ4UZTJ6ZEd
                                                MD5:D7E999CF35C7765AAE76FD6EB71F86B5
                                                SHA1:AC4FAEBBC2CD56EEF2E51DA7D825B5F1C6721664
                                                SHA-256:D0BC750F04120A43391243195D8E6D38F4F92112733CDFC3804AC73070C2453E
                                                SHA-512:049026272BBA60D3CB9B19C9F7E1F165444D0B2AAB021B4F0AA48AADAD9F3B56989900D44219ACBB84DB1453F538B7B35B2B9B25F443066EA14BD9EB1D43929C
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER816C.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:06 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):51610
                                                Entropy (8bit):2.1157645142829824
                                                Encrypted:false
                                                SSDEEP:192:/UUPX1Xj+S3nHOzXtbj0KzWwF3w4fUgK7Q5t1FhyZay91WTCMCw00TlhG/:8A+SXuJbj0Kz5Bj9ptTAayKOMCX/
                                                MD5:76323CB7B21447368924BBEC3BB2649F
                                                SHA1:AEE55D420CF07271056111F7A2CB04F2E95F8AFD
                                                SHA-256:BBA2E45892C79A459B35722E68A93B0E711A8007933120E01A6D3EC013FB16DC
                                                SHA-512:2BAAF4962B74B3F8861773D69D2D40C258E7F060F169694BA9D9DE33636BD1CA36392475D220CF69ACC76AEEB8CD7BA5F2B17EED701ABE189F6233D19DFD68F2
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g........................4...........d....+..........T.......8...........T...........8...b.......................................................................................................eJ..............GenuineIntel............T.......$.....1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER81CB.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8340
                                                Entropy (8bit):3.694881733777127
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJT+6HXbgR6YAOz6NgmfXOpBRC89b4o6sfeom:R6lXJq63bgR6YAS6NgmfXu74oZf4
                                                MD5:580827B96ED0071A3BC77BB1AB8F48DF
                                                SHA1:52A0CE786C362D64BDAF9B78A5D5971F4A37E7D8
                                                SHA-256:180AD3B4746C85FE3F4C0327FA994A3E629989AC52FA9325982EC8216E527A97
                                                SHA-512:340130F127DF4D6EE70913AEA7DFB550A6B58B3658613B7450694FC5973DDA2801D4E423FED0212D913FA0B42DDEB687030DD371D04563617F7164A55B0943B7
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.4.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER81FB.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4583
                                                Entropy (8bit):4.439561536138877
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYeX0Ym8M4JRRZF8m+q8iNGo9q7d:uIjfPI7e27V7JHgmZGo9q7d
                                                MD5:3A073D0285E623CAB22831979E293B47
                                                SHA1:46771A7A8F0357FCF54B60972B03BC06991BF119
                                                SHA-256:4372D438E80759BE0908EB8AB97DCD438B82AA0B4F4D56F8DABAE47AC31FD24F
                                                SHA-512:DB04BF6DA02C3AED952D889596B07CCA3B249DE8CD3CBD2F805A40644BFF0E76AEF3EC991AA0F98721A907834A89726A0672CBF8A3614982A576268B7A32A286
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER83DD.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:07 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):57606
                                                Entropy (8bit):2.139579953433288
                                                Encrypted:false
                                                SSDEEP:384:uKaQOmmaJ84kbl/cwnDAayKgGqzZZw6o+A+B:uK6laJpc/cyDL09e+A+B
                                                MD5:3D782817CC671192E79EDF35C8F79159
                                                SHA1:7E29C414D7FCB9AF1F1EF649CA12718D4035E0A5
                                                SHA-256:5B55E0ECD7B32B88E25AD6076F3438A44B450AEF4EFBD9E1A3E5BD12AE0638E8
                                                SHA-512:C7BA309B16EBF9E01A5D2F1A4B616F05B282C8295F1E2061447A3C503759E3C815BF85BF7A1DBB73D37534930E206F01999D18D15182A7DD331394D5E0ECCD3C
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g........................................./..........T.......8...........T...........(...........................................................................................................eJ...... .......GenuineIntel............T.......$.....1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER849A.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8340
                                                Entropy (8bit):3.6941869191378793
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJTb6Qg6YAOv6NgmfXOpB089bVbo6sfbTvjm:R6lXJP6Qg6YAe6NgmfX4VboZfv6
                                                MD5:F2C629DD0235DA6AE001B16D4652F919
                                                SHA1:FA2CE3F5631035315B6A3C2938FAB6D805258F33
                                                SHA-256:F541A3188819EE8F408803C49CEA3E88E25F2265A8A8D88946D0AB06C1C3E7E1
                                                SHA-512:D368DAD37273A4826ED51C80F22A14C6D0CC2F828364EB0BF9EB306B582642465B95BBD426A0A39B29A11AC0602B6FE853FA6951888036BC56301EB6BD9B3715
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.4.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER84BA.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4583
                                                Entropy (8bit):4.438861575988311
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYSYm8M4JRRZFz7+q8iNGo9q7d:uIjfPI7e27VSJHDZGo9q7d
                                                MD5:9384376CBC4682CCF4D6F207BCB2B29A
                                                SHA1:F97F8A3DBDD453E1DD722360356EEA4C8846397C
                                                SHA-256:4913982681BF638E5C6A74996CBA0BFE8F1A702C982780DDA59CF75ED891CB7A
                                                SHA-512:A3A580EAE674453393324D5926545D2D1B6AA28A7C0F8E8F113A15B62AA3802BBCD744C0D999A3AE6D5D9C4A4F6EB16DD4531A17726B59EDA9CC145960A6CB51
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B40.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:09 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):62656
                                                Entropy (8bit):2.011983881479926
                                                Encrypted:false
                                                SSDEEP:192:EsTqB7XP/X1oI8dN6OzXtg0lA2OSt7kWyWbgQ7OfUbgeTOK7Q6EDay91WBorRycP:H4NoI8dvJgj2O4kbYw4fTOxayKeycmPQ
                                                MD5:C5765332A3A3300B5EBA074A5AD5EB01
                                                SHA1:8C73FC2057A000B6A25D096095D3560B1DE2E192
                                                SHA-256:382553EDF077A2AFAF69508EC183B695307F82BCF01A3E37D9539D6E53281E05
                                                SHA-512:259A0E1318EC7B3BBFC23DCAD161D308D2F5A62AC312F61C44CF971EBB88A79517A92A90270D6A361214C9E47884CE340CAA681E3439E92DF51F72834160FFDF
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g............$...........P...,...........$4..........T.......8...........T...........................|...........h...............................................................................eJ..............GenuineIntel............T.......$.....1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C1C.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8340
                                                Entropy (8bit):3.692486483619396
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJTc60me6YAOU6NgmfXOpBu89bfo6sfHg1m:R6lXJI606YAV6NgmfXufoZfH/
                                                MD5:8974525916F800B7D28CDEC0CD6BE271
                                                SHA1:25FD427E5866890F938956A6AB9066A711AE1B82
                                                SHA-256:8848B6B682384F0571C1F872BAC0331BDCE5D1C29AD47F25FB1708430391EF2A
                                                SHA-512:9AFC48CC6A1174FAD80D124CBED32A1DAECBCD7D677D2163F7D9B4AE7CCCFC26C615E50413A1BDF0851D2FB7DD5704B941F36229C5A7BBE59A86187504CE496E
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.4.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C6B.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4583
                                                Entropy (8bit):4.438188042068652
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYoYm8M4JRRZF3h+q8iNGo9q7d:uIjfPI7e27V8JHtZGo9q7d
                                                MD5:6D2068D4AE967C04AE345452DA486512
                                                SHA1:61D34B18E0FC59033F63D44801532B73CB2D83C4
                                                SHA-256:91C809871F6A87DAA05F086C77B1EDBA3A54C0A4E4F2A63042ECF9C02F7EAB1E
                                                SHA-512:92DC25C1838EDD4DF3CBB4AC8BFB929A7CF3DF438A3C0413EADDE16A68217246A64C6002AC3A7D8071F05C1D495A20BF7CAF47BE8A532BADEF7A4AA14599EF75
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER8ECA.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:10 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):68348
                                                Entropy (8bit):1.9542739744195612
                                                Encrypted:false
                                                SSDEEP:192:zVZ7XRXg4vQgwOzXtglbSt7kWyWbfQJxfUkUFGypiz7K7QWEDay91WBoFPpPSiKW:ZQ4vQeJgp4kbY6zUEJH1ayK+pFX
                                                MD5:F249D8CF1D204B4EBDF23EB6A8985CC1
                                                SHA1:AF36C082705D5F97D8EEB7DC08965204F61A590D
                                                SHA-256:0CFC51440BC6FE1F00E102A1F991E76DDAEF306ACBA83FA43171C5ACF62DBA32
                                                SHA-512:7994FFD5C897E5029C05F80002A88E03F94B694A521C550E398CB7DA888836CA789909155B4A70EFE5F3E436999E6430B743AB24D22575EFA79B8937E0BC9CBD
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g............T...........P...\........... 7..........T.......8...........T........... ...........................................................................................................eJ......0.......GenuineIntel............T.......$.....1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F58.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8340
                                                Entropy (8bit):3.6928344387533913
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJTB6km6YAOM6NgmfXaAjABpBG89b/o6sfXVm:R6lXJ16V6YA96NgmfXaAjAx/oZfo
                                                MD5:67EA6075B35A6312DF6E559F718B4A76
                                                SHA1:9CC4DD896BED93BA5999C1441123BD85B75D570B
                                                SHA-256:772FA630E0791248581EF9EA7DA19C54A7E97B6E70BFC210178D74F7A22C952D
                                                SHA-512:C78FC039870F90C05966A8F7E3937359A72F95045B957A057F2067246E3E9A11F69E3CD3CB34B160A39D17AE5EFC3BB55CAA4735230F9B89B068B3A633567BE1
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.4.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FD6.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4583
                                                Entropy (8bit):4.439471144136897
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYNYm8M4JRRZFM+q8iNGo9q7d:uIjfPI7e27VlJHQZGo9q7d
                                                MD5:646CCD1D79841AD93B76F7D4F560C0B2
                                                SHA1:FC1F8BD8A50801DCB8469A769E84AAA7DA6A492E
                                                SHA-256:59FCA41C4AAD4FBAE300B53DB0250512CB4957F926B46334112C88A47FE835E1
                                                SHA-512:3DF0261D8901E8477A3A92DE28D7924A7B06FCB166B9F20353E63110303590360F342D75A46301A30BFA18C500829596FB382CA0002679F9E1744FA0BD857BD6
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9439.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:11 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):62754
                                                Entropy (8bit):2.016143603712026
                                                Encrypted:false
                                                SSDEEP:192:6rxB7XP/X1oIQwOzXtgSd2SNUSt7kWyWbfaMfUpK7Q/03EDay91WBoQivTDEmP:2vNoIKJgw2SS4kbYzcv0+ayKovTBP
                                                MD5:6ABB6430C311F93B89C4F72CAF1F895B
                                                SHA1:13E1D8B9924705BF36A1D93E46A849C5D08555DA
                                                SHA-256:8AF6EEEF529C0DE9D5AFD7EBEC171D0DEC79DB5FDAD83D6170A88CB01B53B811
                                                SHA-512:845DCCA7C17391D1079DBB4DD721F8F6115DF8FD6FD1A2F738F9A58E134D2058CB51F722AE09E3E582883C7728AAA061D2CD9BE497B80DBD2D9CA4B0FC482AF4
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g............$...........P...,...........$4..........T.......8...........T...............R...........|...........h...............................................................................eJ..............GenuineIntel............T.......$.....1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9524.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8340
                                                Entropy (8bit):3.693057244459257
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJT16e6YAO66NgmfXOpBM89b2o6sfFSm:R6lXJh6e6YAL6NgmfXw2oZfh
                                                MD5:407BF7CBE3B4E293AE759D18F2E1C7B2
                                                SHA1:1DD74692E9FFEDE86097F3A7C8DEEEB9D4162B37
                                                SHA-256:DDD390B4C288FF5355D92F020C7E89996C9C413D024CD05823216F77C1F11FB8
                                                SHA-512:DC6B38EEC93F5D487AC1792522139AF9CA854CA5A8ADEA836806DE6D088BFEE05C65B97DCA97B9BE24DEE39746AC3E63EF952E0F334D92669AFFC56BFFEF51DF
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.4.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9554.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4583
                                                Entropy (8bit):4.441012166054371
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VY3Ym8M4JRRZFN+q8iNGo9q7d:uIjfPI7e27VzJHpZGo9q7d
                                                MD5:D163B5D2D43C347C369E54B2F637813D
                                                SHA1:6AC2F743E4EFA9007087E89CBECEAB40729A6213
                                                SHA-256:21B4790E2A881F04993F7CD72175760B188A4D54396C1EDCADE2FB5C92BA399B
                                                SHA-512:B3108EEB502BBA9C60E2EE2951EF86F61ADB39AED30FEFDE8AD712484B46D2CC239974981072F4E9F9A722DC14132388D1614CE59915B2E47E9C76D45E7A78E2
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER989E.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:12 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):82748
                                                Entropy (8bit):2.097559941100238
                                                Encrypted:false
                                                SSDEEP:384:kptLuVJuJg9jz5SJSRrpl4b3HedhUWTCU0SayKWCxwQM3h3vM:kphOJuJg5kJqFSbkhUWTCU0FxwQ6h3U
                                                MD5:A61B3D82C1D7537CF879563A50ACEE38
                                                SHA1:E6A442F9E124051C27A7AE2210217036E253F8D4
                                                SHA-256:795BA7A8C0183B90C0452432780C657BDB72AF435260496D36660D529599F56A
                                                SHA-512:D56655EEDD767C272519218FC48C336E701806F4540BC99C09BAE4132E2B9BDAF126B9000588A8215D1781C07975CB7577015E05F6593AA17AF1B230E42571A6
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g........................l................<..........T.......8...........T...........P$..........................................................................................................eJ......|.......GenuineIntel............T.......$.....1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER99B8.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8340
                                                Entropy (8bit):3.6960828119361406
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJTt6A6YAO76NgmfXOpBj89bEo6sfCsm:R6lXJZ6A6YAa6NgmfX9EoZfY
                                                MD5:C2570AE0DE9EAB0F586CC0AAAAFB0924
                                                SHA1:4FAE1AA6BD803514AC29F2928A39C4CD876DB4EC
                                                SHA-256:B59C63AC97F0517F8223572AC343EDE396088D1944237FB043DE10ED9D989E06
                                                SHA-512:42C061E4BEA919C9A70C1037F4BFDE19C2E5D1E900EE1727BAB82A9D2EBA237CADC60BFDE1D1C3B0AD5FB9AEBCB12FE351B99C836B71CCE17C05E8A83C845374
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.4.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER99F8.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4583
                                                Entropy (8bit):4.439855851106772
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYJYm8M4JRRZFi+q8iNGo9q7d:uIjfPI7e27VhJH+ZGo9q7d
                                                MD5:93294C97355C63EAC771A81517C56A83
                                                SHA1:F83B07F62C119A211E8F180A17F041DF1E4A4495
                                                SHA-256:BEE4204FA02AF8BB733B9354AED80E7C4578F2B8F3ED450E16DA05FE8379DD51
                                                SHA-512:1D3860657DB3CD60B598B45B56C2B25C66D9C3A532105790EDC255894D84CA53EE93513AA5DD2D4AA0208A9E852F0847882B3B14F14ADE7B1C2A8DCA937FBC2D
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A34.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:13 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):23378
                                                Entropy (8bit):2.355564313441267
                                                Encrypted:false
                                                SSDEEP:192:4avzuDX1ZvXBcm6O3XAJKM1xippDfmVJKj:Z2ZpcmF0lUJmVgj
                                                MD5:94408F8C1765585EA74246A6DF6096C3
                                                SHA1:84F44076B5CAF91C55068F40461845EA2B9EDC5A
                                                SHA-256:BF4FF5300479D6F3BFA1714421E45D7E3F3210F81928602B01157008CEE4F043
                                                SHA-512:A4923C1FAD2813D2EE26356294E9E8817F7C53C4ED283CF89251519C851C7BA3F669A087D9867D06FD76BE2B4B9FD0B5AECE893586DB032DA2D11BBE64853677
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g............4...........\...<.......T...|!..........T.......8...........T...........(...*F......................................................................................................eJ..............GenuineIntel............T.............1g............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D81.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8372
                                                Entropy (8bit):3.697113252889389
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJG264wWR6YEIZSU9MkgmfZMpDQ89bbmsfKzJm:R6lXJH64v6YEmSU9MkgmfZsbFfKw
                                                MD5:1F266185FCBDCC5C1090BEC9F070165C
                                                SHA1:F15141B61B2F860AE2861D6EF9CDAEBDB2485947
                                                SHA-256:127B0B896FDCFB9EF7723676C7C5D7EB99701750E7C76420D4AA26B50E8851B1
                                                SHA-512:D1E070FEA3FBCCBED655546F9032C16385B9478676D955E5233BE251CEA90ACAF6D761787163CFF6AA5F249FE0CF39ED0E161358878081C10CB7739EE53FC4B9
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.4.0.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DD0.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4625
                                                Entropy (8bit):4.477895820403801
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYtYm8M4JRrOqFq+I+q8d2O1vno9qKEd:uIjfPI7e27VxJ1u+Ih0no9qKEd
                                                MD5:CD826D175058F967329A12557477BE83
                                                SHA1:9DED38DFB5387136C03600DC7BEDDC4C3B8FD6CC
                                                SHA-256:8C2DD14C995A9B91F814B4AB009F68CCC9AB4EDDBB7C520C6AA9550D1A2723D7
                                                SHA-512:B95CAC8D2E393E2BE6EC27A00C5C2E34596A951D0C16B835F2153F4D1A918E94E257C4B3590E054B9FD2A0E83025C1C63D79A6D9FC461491D844C081BD7513E1
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA010.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:14 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):88690
                                                Entropy (8bit):2.05942763957228
                                                Encrypted:false
                                                SSDEEP:768:TQnWXJg/hNJ9FSb7SL6/UZFuB0Fz+IS8:B8JcSG/+uB0F5S8
                                                MD5:D642BDAF8A326B4ED9B8AF8676BFA84D
                                                SHA1:AE2E561C99B9A02B21837254E91824C9D18EEA78
                                                SHA-256:366710001E965C41B2E25D5006C057EB67B81B692248DA9B40CB6694679CFBC1
                                                SHA-512:05C5345D3E37BBDC5F6AEA444C60A9F36BE62F3647FFC70DCE2F4039150ABA2C106390279244F857199F2ACD73CFD5B262C2FAD8A1AA01069CA3D0FDBADF2327
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g........................l................?..........T.......8...........T............%..Z5..........(...........................................................................................eJ..............GenuineIntel............T.......$.....1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA159.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8342
                                                Entropy (8bit):3.693574946881828
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJTLh6a6YAOs6NgmfXOpB089bSo6sfnhbGm:R6lXJB6a6YAt6NgmfXoSoZfnV
                                                MD5:BBABE01FE6FBF4F88BA294355123B520
                                                SHA1:261D563BB4776B5D249AA4349DE85EABCABF5C43
                                                SHA-256:210A097D15B3137ADDADB27CD09DF71D40F7E244B0B12DCBCD44DA2E2B4389B8
                                                SHA-512:C54B6799C966DF0502AF4F8F35DD3BD57B4548D53DF9E4250AE21F85E4BBCA4242C234E255B0A088D7DF953602E499EDC5E212CCA22D4623688A05FD1EE9DD8B
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.4.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA199.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4583
                                                Entropy (8bit):4.441042794975054
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYBYm8M4JRRZFw2TI+q8iNGo9q7d:uIjfPI7e27VdJH82UZGo9q7d
                                                MD5:97E18B28F6BE8FB31322E8681D46C27C
                                                SHA1:6826737FA257CC83FD31D296D4B2EB205C6D710C
                                                SHA-256:546CAA0B90FCDBAF280AF3064142FE5BC54215EBD120CA08C5D0DFE244D0B3C9
                                                SHA-512:F716B16BBDA3FE94F350E7CF1F03085A744B8BDC59FD88A64E2DCEAB59C4CE493B7A271D83BBE9B09267F46DA98F4B4A7977458C39EB05795A8F20FEC823B053
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA446.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Nov 11 08:00:15 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):98110
                                                Entropy (8bit):1.8772817709782088
                                                Encrypted:false
                                                SSDEEP:384:8WgpEAjF/JgRMLcel4keDpiL6/UZEDqPjU0SayKbfO6tufxR:PgpDR/JgeLceST8L6/UZiqU0FGuK
                                                MD5:942BBF802BD1DE58FA0A3C8E08F357DD
                                                SHA1:D7B268F016798651A5DC8721F264F89A7EF45507
                                                SHA-256:77FB0C57D4270AA01DA934F1BA5455D92D2298B3C9FE3D35D3BB6BD078666A58
                                                SHA-512:DCAE3AA8CF60BBA58C8D3E6D47716A03F688E93C7C3073D532E7A2C19255BE9C0246ED90DAFE72AEDE6C4205E923F2149F2A3DC9E884F335A6BB374B29EDA8AC
                                                Malicious:false
                                                Preview:MDMP..a..... .........1g........................l................E..........T.......8...........T............&...X......................t...............................................................................eJ..............GenuineIntel............T.......$.....1g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA541.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8342
                                                Entropy (8bit):3.6942899098007826
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJT86CM6YAON6NgmfXOpBu89bpo6sfAjm:R6lXJo6CM6YAM6NgmfXupoZfZ
                                                MD5:0570C367EEE77ABBFCB2BE125B56EC81
                                                SHA1:BBD1383A79336A515AADAA5C2E8EEA518BEF3715
                                                SHA-256:392B98ADF09037200AF73EAD302D8C93F8E3698AD7F55DD11992C353FAAB7C35
                                                SHA-512:EF151ABFA8AEA94CCB34B8FC52EF9774EFA71BF40E26CA88E5D44857FFB676E377116843FD4FEE14E473480C57C59F44161FDFF2AE3C13169E130ABF88999433
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.4.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA581.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4583
                                                Entropy (8bit):4.437905549357651
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zs1Jg77aI9sHWpW8VYVYm8M4JRRZFP7+q8iNGo9q7d:uIjfPI7e27VNJHr7ZGo9q7d
                                                MD5:BF68BFFFCF5988B020FE26A5A69B31AE
                                                SHA1:D970861084AB664990141012268EE2EA973CD8A2
                                                SHA-256:75AA2030E4B1A4A057776980211CF5FD275DD38BBC0900D939E974B6B7886341
                                                SHA-512:4C3399C4653173F4CA30A145EC869035A17C8E1975DAE6FCFC3D3D2677F7BC2DE19271698962E180E750C7C5893E5E541CC7B830D95A002BB18DD41060AFC7B1
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="583142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                                File Type:JSON data
                                                Category:dropped
                                                Size (bytes):964
                                                Entropy (8bit):5.018755016491396
                                                Encrypted:false
                                                SSDEEP:12:tkWsdnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qWGdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                MD5:2A164B5DB73EFF7949E5F82C332A4649
                                                SHA1:8D418849427F824C3AC29D6E7B6C1E40503F702C
                                                SHA-256:66D4C17AA00082C62674180A0454BA46583BAFF98BD7E892D4286954615D8F1B
                                                SHA-512:7C89F0DD8874E21F7B5EFADA821FD794EB58F38422F11933E4BC82923BCF8B9757C055D454A8B8458ADF6EFE305EFA7F001092E0459EA4764BAC6AE90F30AE18
                                                Malicious:false
                                                Preview:{. "geoplugin_request":"66.23.206.109",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                C:\Users\user\AppData\Roaming\xenor\yavascript.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\advancePayment-pdf.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):549888
                                                Entropy (8bit):6.53082479182163
                                                Encrypted:false
                                                SSDEEP:12288:kEaf/xmwKOsmya7IQVPl55z0AdmSg4MXu3KYPH:kEafZ7HyaEQVFz0AdmSg4ku3KYP
                                                MD5:821CD5EF8D94DEEEEE5B7CB82379C212
                                                SHA1:977F8407A7033B20B96FEC686E918C177160AE92
                                                SHA-256:8038FF6A41673EB151CDB7F03872C741DC762834C856D70030CD54AF744E36A4
                                                SHA-512:0F4F856CF1CC965A5BE602503EB3F26CEE460C5B2CE709ED2F7672973DA801A4CC9BD7A67F9B2FFE7471421B67D44A51C302FF98BD065FEBBF1D73EBE54A9881
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 53%
                                                • Antivirus: Virustotal, Detection: 62%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........P...P...P...N.E.p...N.T.D...N.B.<...wm..Y...P...(...N.K.Q...N.U.Q...N.P.Q...RichP...........................PE..L...=jhd......................r.....n.............@...........................x.....K..........................................P.....v.Hh...................Px.....................................p...@............................................text............................... ..`.rdata..|".......$..................@..@.data.....p.........................@....tls....=.....u.....................@....vutod........v.....................@....rsrc...Hh....v..j..................@..@.reloc..P^...Px..`..................@..B........................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\xenor\yavascript.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\advancePayment-pdf.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:MS Windows registry file, NT/2000 or above
                                                Category:dropped
                                                Size (bytes):1835008
                                                Entropy (8bit):4.424378499690981
                                                Encrypted:false
                                                SSDEEP:6144:+Svfpi6ceLP/9skLmb0OTUWSPHaJG8nAgeMZMMhA2fX4WABlEnNN0uhiTwu:dvloTUW+EZMM6DFyD03w
                                                MD5:BB1C533DCFB21D4F792099C0A43BB707
                                                SHA1:A8F3EBDDFB6663AE76DB26AF595E45C2536E21FD
                                                SHA-256:06EB576874F567D8DC50D2DFEF5F6778517338BEA6E62273356D376D7E66C428
                                                SHA-512:D3651052DF29C4A3AC5FD49E5D6B6FFC1DCAE825A98BE8445552BE50E39331308461F7C534E13B2709279E5D7D7E3D0BFA66A9DB38FD5E24F9CE55F15BB355A3
                                                Malicious:false
                                                Preview:regfD...D....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmF.j..4...............................................................................................................................................................................................................................................................................................................................................&}.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):6.53082479182163
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:advancePayment-pdf.exe
                                                File size:549'888 bytes
                                                MD5:821cd5ef8d94deeeee5b7cb82379c212
                                                SHA1:977f8407a7033b20b96fec686e918c177160ae92
                                                SHA256:8038ff6a41673eb151cdb7f03872c741dc762834c856d70030cd54af744e36a4
                                                SHA512:0f4f856cf1cc965a5be602503eb3f26cee460c5b2ce709ed2f7672973da801a4cc9bd7a67f9b2ffe7471421b67d44a51c302ff98bd065febbf1d73ebe54a9881
                                                SSDEEP:12288:kEaf/xmwKOsmya7IQVPl55z0AdmSg4MXu3KYPH:kEafZ7HyaEQVFz0AdmSg4ku3KYP
                                                TLSH:D4C4CF82A5E02466F7BF4A3D5E3BD6D42A2FB9635E78735C2114261F0AB10E2D52370F
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........P...P...P...N.E.p...N.T.D...N.B.<...wm..Y...P...(...N.K.Q...N.U.Q...N.P.Q...RichP...........................PE..L...=jhd...

                                                File Icon

                                                Icon Hash:60611818182cd161

                                                Static PE Info

                                                General

                                                Entrypoint:0x40186e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                Time Stamp:0x64686A3D [Sat May 20 06:35:41 2023 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:0
                                                File Version Major:5
                                                File Version Minor:0
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:0
                                                Import Hash:618f8b789fbe1ba0f63925994447c3ef

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F2E2CE2A87Dh
                                                jmp 00007F2E2CE269BDh
                                                mov edi, edi
                                                push ebp
                                                mov ebp, esp
                                                sub esp, 00000328h
                                                mov dword ptr [0045E8D0h], eax
                                                mov dword ptr [0045E8CCh], ecx
                                                mov dword ptr [0045E8C8h], edx
                                                mov dword ptr [0045E8C4h], ebx
                                                mov dword ptr [0045E8C0h], esi
                                                mov dword ptr [0045E8BCh], edi
                                                mov word ptr [0045E8E8h], ss
                                                mov word ptr [0045E8DCh], cs
                                                mov word ptr [0045E8B8h], ds
                                                mov word ptr [0045E8B4h], es
                                                mov word ptr [0045E8B0h], fs
                                                mov word ptr [0045E8ACh], gs
                                                pushfd
                                                pop dword ptr [0045E8E0h]
                                                mov eax, dword ptr [ebp+00h]
                                                mov dword ptr [0045E8D4h], eax
                                                mov eax, dword ptr [ebp+04h]
                                                mov dword ptr [0045E8D8h], eax
                                                lea eax, dword ptr [ebp+08h]
                                                mov dword ptr [0045E8E4h], eax
                                                mov eax, dword ptr [ebp-00000320h]
                                                mov dword ptr [0045E820h], 00010001h
                                                mov eax, dword ptr [0045E8D8h]
                                                mov dword ptr [0045E7D4h], eax
                                                mov dword ptr [0045E7C8h], C0000409h
                                                mov dword ptr [0045E7CCh], 00000001h
                                                mov eax, dword ptr [0045D008h]
                                                mov dword ptr [ebp-00000328h], eax
                                                mov eax, dword ptr [0045D00Ch]
                                                mov dword ptr [ebp-00000324h], eax
                                                call dword ptr [000000D4h]

                                                Rich Headers

                                                Programming Language:
                                                • [C++] VS2008 build 21022
                                                • [ASM] VS2008 build 21022
                                                • [ C ] VS2008 build 21022
                                                • [IMP] VS2005 build 50727
                                                • [RES] VS2008 build 21022
                                                • [LNK] VS2008 build 21022

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5b8cc0x50.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x276e0000x16848.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x27850000xa14.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x5b4b80x18.rdata
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5b4700x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x5a0000x1a4.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x5820c0x584008551eb1a71c55a9c8f5c158087df2857False0.853333038243626data7.59262053181599IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x5a0000x227c0x24005687c999d1a270614e0307c3020cf803False0.3565538194444444data5.456816931629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x5d0000x270149c0x1800baac9559905c89526c1b7746639fd4efunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .tls0x275f0000xd03d0xd2004ac08b57fd7f0ac437782e5df4402ac7False0.0014508928571428572data0.0003191392697274087IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .vutod0x276d0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x276e0000x168480x16a00042e6150bd6443e8a2eb75c1200d7e48False0.4459383632596685data5.2037813373062445IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x27850000x5e500x600092a309bcc1a84467334f7dff17f43de4False0.09476725260416667data1.1354757209223152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x276e8700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSpanishPeru0.7257462686567164
                                                RT_ICON0x276f7180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSpanishPeru0.7472924187725631
                                                RT_ICON0x276ffc00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSpanishPeru0.6774193548387096
                                                RT_ICON0x27706880x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSpanishPeru0.6654624277456648
                                                RT_ICON0x2770bf00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216SpanishPeru0.6440871369294606
                                                RT_ICON0x27731980x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304SpanishPeru0.6963114754098361
                                                RT_ICON0x2773b200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024SpanishPeru0.7118794326241135
                                                RT_ICON0x2773ff00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishPeru0.38326226012793174
                                                RT_ICON0x2774e980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishPeru0.5302346570397112
                                                RT_ICON0x27757400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SpanishPeru0.6013824884792627
                                                RT_ICON0x2775e080x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishPeru0.6307803468208093
                                                RT_ICON0x27763700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishPeru0.38860225140712945
                                                RT_ICON0x27774180x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SpanishPeru0.3823770491803279
                                                RT_ICON0x2777da00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishPeru0.42907801418439717
                                                RT_ICON0x27782700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishPeru0.279317697228145
                                                RT_ICON0x27791180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishPeru0.37364620938628157
                                                RT_ICON0x27799c00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SpanishPeru0.375
                                                RT_ICON0x277a0880x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishPeru0.37283236994219654
                                                RT_ICON0x277a5f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishPeru0.2587136929460581
                                                RT_ICON0x277cb980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishPeru0.2767354596622889
                                                RT_ICON0x277dc400x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SpanishPeru0.2872950819672131
                                                RT_ICON0x277e5c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishPeru0.3280141843971631
                                                RT_STRING0x277ec680x408data0.47674418604651164
                                                RT_STRING0x277f0700x57adata0.43865905848787445
                                                RT_STRING0x277f5f00x45cdata0.44265232974910396
                                                RT_STRING0x277fa500x760data0.4231991525423729
                                                RT_STRING0x27801b00x6a6data0.4236192714453584
                                                RT_STRING0x27808580x6e4data0.43197278911564624
                                                RT_STRING0x2780f400x818data0.4136100386100386
                                                RT_STRING0x27817580x726data0.4262295081967213
                                                RT_STRING0x2781e800x826data0.4204218600191755
                                                RT_STRING0x27826a80x6ecdata0.42945823927765236
                                                RT_STRING0x2782d980x6cedata0.42824339839265213
                                                RT_STRING0x27834680x796data0.4258496395468589
                                                RT_STRING0x2783c000x6dedata0.4300341296928328
                                                RT_STRING0x27842e00x46adata0.45132743362831856
                                                RT_STRING0x27847500xf2data0.5330578512396694
                                                RT_ACCELERATOR0x277eaa80x20data1.15625
                                                RT_GROUP_ICON0x2773f880x68dataSpanishPeru0.7115384615384616
                                                RT_GROUP_ICON0x277ea300x76dataSpanishPeru0.6779661016949152
                                                RT_GROUP_ICON0x27782080x68dataSpanishPeru0.7115384615384616
                                                RT_VERSION0x277eac80x1a0data0.5865384615384616

                                                Imports

                                                DLLImport
                                                KERNEL32.dllWriteConsoleOutputCharacterA, HeapAlloc, MoveFileExW, GetConsoleAliasA, SetDefaultCommConfigW, GetSystemWindowsDirectoryW, GlobalLock, InterlockedCompareExchange, SetCommBreak, FreeEnvironmentStringsA, GetModuleHandleW, GetTickCount, GlobalAlloc, LoadLibraryW, GetConsoleAliasExesLengthW, GetStringTypeExW, GetTimeFormatW, SetConsoleCursorPosition, WriteConsoleW, GetConsoleFontSize, GetACP, GetStartupInfoW, GetLocaleInfoA, InterlockedExchange, GetStdHandle, GetLogicalDriveStringsA, GetProcAddress, SetFileAttributesA, OpenWaitableTimerA, UnhandledExceptionFilter, MoveFileA, GlobalHandle, GetModuleFileNameA, GetProcessAffinityMask, BuildCommDCBA, GetShortPathNameW, FindAtomW, FileTimeToLocalFileTime, OpenFileMappingA, DisconnectNamedPipe, GetNumaNodeProcessorMask, CreateFileA, SetStdHandle, MultiByteToWideChar, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, GetLastError, WriteFile, DeleteCriticalSection, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualAlloc, HeapReAlloc, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, ReadFile, CloseHandle, WriteConsoleA, GetConsoleOutputCP, SetFilePointer, GetModuleHandleA
                                                USER32.dllGetClassLongW, GetMonitorInfoW
                                                GDI32.dllGetBoundsRect

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                SpanishPeru

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-11-11T09:00:09.286393+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549706198.23.227.21232583TCP
                                                2024-11-11T09:00:21.649534+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549736178.237.33.5080TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 11, 2024 09:00:07.816562891 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:07.822609901 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:07.822685003 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:09.066450119 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:09.071616888 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:09.225080967 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:09.286329031 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:09.286392927 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:09.292972088 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:09.297894001 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:09.297990084 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:09.302890062 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:09.303011894 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:09.308568001 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:09.452749968 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:09.514534950 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:09.514659882 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:10.606750011 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:10.611573935 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:14.861982107 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:14.949755907 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:17.562832117 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:17.567811012 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:21.077280045 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:00:21.082272053 CET8049736178.237.33.50192.168.2.5
                                                Nov 11, 2024 09:00:21.082355976 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:00:21.082515955 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:00:21.087306976 CET8049736178.237.33.50192.168.2.5
                                                Nov 11, 2024 09:00:21.649473906 CET8049736178.237.33.50192.168.2.5
                                                Nov 11, 2024 09:00:21.649533987 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:00:21.683783054 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:21.688843012 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:22.722301006 CET8049736178.237.33.50192.168.2.5
                                                Nov 11, 2024 09:00:22.722390890 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:00:44.974354982 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:00:45.027928114 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:45.347206116 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:00:45.352039099 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:01:15.112135887 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:01:15.152940035 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:01:15.539757967 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:01:15.544701099 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:01:45.327332973 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:01:45.403091908 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:01:46.068268061 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:01:46.073170900 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:02:10.590796947 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:02:10.903016090 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:02:11.512396097 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:02:12.715486050 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:02:15.121732950 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:02:19.934247971 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:02:20.367233038 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:02:20.418665886 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:02:20.720005035 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:02:20.722141027 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:02:20.885639906 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:02:20.983256102 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:02:29.623059034 CET4973680192.168.2.5178.237.33.50
                                                Nov 11, 2024 09:02:50.512996912 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:02:50.606905937 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:02:51.445142984 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:02:51.450499058 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:03:20.648833990 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:03:20.715549946 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:03:21.109607935 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:03:21.114634991 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:03:50.923866034 CET3258349706198.23.227.212192.168.2.5
                                                Nov 11, 2024 09:03:51.061829090 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:03:51.768173933 CET4970632583192.168.2.5198.23.227.212
                                                Nov 11, 2024 09:03:51.773086071 CET3258349706198.23.227.212192.168.2.5

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 11, 2024 09:00:21.045093060 CET6468153192.168.2.51.1.1.1
                                                Nov 11, 2024 09:00:21.052154064 CET53646811.1.1.1192.168.2.5
                                                Nov 11, 2024 09:00:41.816788912 CET5351280162.159.36.2192.168.2.5
                                                Nov 11, 2024 09:00:42.291342974 CET53503971.1.1.1192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Nov 11, 2024 09:00:21.045093060 CET192.168.2.51.1.1.10xe588Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Nov 11, 2024 09:00:21.052154064 CET1.1.1.1192.168.2.50xe588No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • geoplugin.net

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549736178.237.33.50803364C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 11, 2024 09:00:21.082515955 CET71OUTGET /json.gp HTTP/1.1
                                                Host: geoplugin.net
                                                Cache-Control: no-cache
                                                Nov 11, 2024 09:00:21.649473906 CET1172INHTTP/1.1 200 OK
                                                date: Mon, 11 Nov 2024 08:00:21 GMT
                                                server: Apache
                                                content-length: 964
                                                content-type: application/json; charset=utf-8
                                                cache-control: public, max-age=300
                                                access-control-allow-origin: *
                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 36 36 2e 32 33 2e 32 30 36 2e 31 30 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 [TRUNCATED]
                                                Data Ascii: { "geoplugin_request":"66.23.206.109", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:02:59:54
                                                Start date:11/11/2024
                                                Path:C:\Users\user\Desktop\advancePayment-pdf.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\advancePayment-pdf.exe"
                                                Imagebase:0x400000
                                                File size:549'888 bytes
                                                MD5 hash:821CD5EF8D94DEEEEE5B7CB82379C212
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2301983250.0000000002D27000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2301934227.0000000002CD9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000003.2043138338.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:02:59:57
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 932
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:02:59:58
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1000
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:02:59:58
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1008
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:03:00:00
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1008
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:03:00:01
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1152
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:14
                                                Start time:03:00:02
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1160
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:15
                                                Start time:03:00:03
                                                Start date:11/11/2024
                                                Path:C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                                                Imagebase:0x400000
                                                File size:549'888 bytes
                                                MD5 hash:821CD5EF8D94DEEEEE5B7CB82379C212
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.4487367180.0000000002DAD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000F.00000002.4487332723.0000000002D69000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.4487367180.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.4485800146.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000F.00000002.4487541702.00000000046F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000003.2136549325.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                Antivirus matches:
                                                • Detection: 53%, ReversingLabs
                                                • Detection: 62%, Virustotal, Browse
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:17
                                                Start time:03:00:03
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1208
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:20
                                                Start time:03:00:06
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 632
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:22
                                                Start time:03:00:07
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 648
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:23
                                                Start time:03:00:08
                                                Start date:11/11/2024
                                                Path:C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                                                Imagebase:0x400000
                                                File size:549'888 bytes
                                                MD5 hash:821CD5EF8D94DEEEEE5B7CB82379C212
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.2310830202.0000000002D80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000017.00000003.2195363370.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000017.00000002.2309513551.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000017.00000002.2310796123.0000000002D3C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000017.00000002.2310890712.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:25
                                                Start time:03:00:09
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 728
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:27
                                                Start time:03:00:10
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 756
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:30
                                                Start time:03:00:11
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 772
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:32
                                                Start time:03:00:12
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 924
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:34
                                                Start time:03:00:12
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 532
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:36
                                                Start time:03:00:14
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 956
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:38
                                                Start time:03:00:15
                                                Start date:11/11/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 956
                                                Imagebase:0xaf0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:1.2%
                                                  Dynamic/Decrypted Code Coverage:3.6%
                                                  Signature Coverage:29.2%
                                                  Total number of Nodes:795
                                                  Total number of Limit Nodes:26
                                                  execution_graph 87968 47b003c 87969 47b0049 87968->87969 87983 47b0e0f SetErrorMode SetErrorMode 87969->87983 87974 47b0265 87975 47b02ce VirtualProtect 87974->87975 87977 47b030b 87975->87977 87976 47b0439 VirtualFree 87978 47b05f4 LoadLibraryA 87976->87978 87982 47b04be 87976->87982 87977->87976 87981 47b08c7 87978->87981 87979 47b04e3 LoadLibraryA 87979->87982 87982->87978 87982->87979 87984 47b0223 87983->87984 87985 47b0d90 87984->87985 87986 47b0dad 87985->87986 87987 47b0dbb GetPEB 87986->87987 87988 47b0238 VirtualAlloc 87986->87988 87987->87988 87988->87974 87989 403de7 87990 403df9 87989->87990 88044 403b60 28 API calls 87990->88044 87992 403e0c 88045 401fbd 87992->88045 87995 401fbd 28 API calls 87996 403e2a 87995->87996 88049 41afc3 87996->88049 87999 403f13 88002 401d64 22 API calls 87999->88002 88000 403e3f 88001 403eca 88000->88001 88005 403e52 88000->88005 88006 403ebb 88000->88006 88028 403ecc 88000->88028 88001->88028 88070 401d64 88001->88070 88003 403f1e 88002->88003 88012 401d64 22 API calls 88003->88012 88010 403e5b 88005->88010 88005->88028 88006->88001 88014 403ea5 88006->88014 88008 403fb5 88116 401eea 88008->88116 88009 403ef6 88075 43a5e7 39 API calls _strftime 88009->88075 88010->88014 88019 403e6a 88010->88019 88015 403f32 88012->88015 88013 403fbe 88017 401eea 11 API calls 88013->88017 88018 401fbd 28 API calls 88014->88018 88104 410b0d 35 API calls 88015->88104 88020 403fc6 88017->88020 88021 403eb4 88018->88021 88023 401d64 22 API calls 88019->88023 88109 404468 61 API calls ctype 88021->88109 88022 403f03 88076 403fcd 88022->88076 88026 403e74 88023->88026 88103 43a5e7 39 API calls _strftime 88026->88103 88027 403f42 88027->88028 88030 403f48 88027->88030 88110 401d8c 88028->88110 88105 410d8d 22 API calls ___std_exception_copy 88030->88105 88033 403f54 88106 410d8d 22 API calls ___std_exception_copy 88033->88106 88034 403e81 Sleep 88036 403fcd 61 API calls 88034->88036 88037 403e9a 88036->88037 88037->88028 88038 403f65 88107 410d8d 22 API calls ___std_exception_copy 88038->88107 88040 403f76 88108 410d8d 22 API calls ___std_exception_copy 88040->88108 88042 403f87 88043 401fbd 28 API calls 88042->88043 88043->88021 88044->87992 88046 401fcc 88045->88046 88120 402501 88046->88120 88048 401fea 88048->87995 88050 41afd6 88049->88050 88054 41b048 88050->88054 88064 401eea 11 API calls 88050->88064 88069 41b046 88050->88069 88125 403b60 28 API calls 88050->88125 88126 401eef 88050->88126 88130 41bfa9 28 API calls 88050->88130 88051 401eea 11 API calls 88052 41b078 88051->88052 88053 401eea 11 API calls 88052->88053 88055 41b080 88053->88055 88131 403b60 28 API calls 88054->88131 88058 401eea 11 API calls 88055->88058 88060 403e33 88058->88060 88059 41b054 88061 401eef 11 API calls 88059->88061 88060->87999 88060->88000 88063 41b05d 88061->88063 88065 401eea 11 API calls 88063->88065 88064->88050 88066 41b065 88065->88066 88132 41bfa9 28 API calls 88066->88132 88069->88051 88071 401d6c 88070->88071 88072 401d74 88071->88072 88134 401fff 22 API calls 88071->88134 88072->88009 88075->88022 88077 403fd7 __EH_prolog 88076->88077 88078 403ffc 88077->88078 88135 401f86 88078->88135 88080 40400d 88139 41ad46 28 API calls 88080->88139 88082 40403f 88140 4027cb 28 API calls 88082->88140 88084 404049 88141 4027cb 28 API calls 88084->88141 88086 404054 88142 4027cb 28 API calls 88086->88142 88088 40405f 88143 4027cb 28 API calls 88088->88143 88090 404069 88144 404468 61 API calls ctype 88090->88144 88092 404073 88093 401eea 11 API calls 88092->88093 88094 40407b 88093->88094 88095 401eea 11 API calls 88094->88095 88096 404083 88095->88096 88097 401eea 11 API calls 88096->88097 88098 40408b 88097->88098 88099 401eea 11 API calls 88098->88099 88100 404096 88099->88100 88101 401eea 11 API calls 88100->88101 88102 40409e 88101->88102 88102->88028 88103->88034 88104->88027 88105->88033 88106->88038 88107->88040 88108->88042 88109->88028 88111 40200a 88110->88111 88115 40203a 88111->88115 88150 402654 11 API calls 88111->88150 88113 40202b 88151 4026ba 11 API calls _Deallocate 88113->88151 88115->88008 88117 4021b9 88116->88117 88118 4021e8 88117->88118 88152 40262e 11 API calls _Deallocate 88117->88152 88118->88013 88121 40250d 88120->88121 88123 40252b 88121->88123 88124 40261a 28 API calls 88121->88124 88123->88048 88124->88123 88125->88050 88127 401efe 88126->88127 88129 401f0a 88127->88129 88133 4021b9 11 API calls 88127->88133 88129->88050 88130->88050 88131->88059 88132->88069 88133->88129 88136 401f8e 88135->88136 88145 402325 88136->88145 88138 401fa4 88138->88080 88139->88082 88140->88084 88141->88086 88142->88088 88143->88090 88144->88092 88146 40232f 88145->88146 88148 40233a 88146->88148 88149 40294a 28 API calls 88146->88149 88148->88138 88149->88148 88150->88113 88151->88115 88152->88118 88153 4016e8 88154 401d64 22 API calls 88153->88154 88155 401703 88154->88155 88161 401e65 88155->88161 88157 40170a 88158 401d64 22 API calls 88157->88158 88159 40171f 88158->88159 88160 401726 waveInPrepareHeader waveInAddBuffer 88159->88160 88162 401e6d 88161->88162 88164 401e77 88162->88164 88165 4023b7 28 API calls 88162->88165 88164->88157 88165->88164 88166 43a998 88169 43a9a4 _swprintf __FrameHandler3::FrameUnwindToState 88166->88169 88167 43a9b2 88182 445354 20 API calls __dosmaperr 88167->88182 88169->88167 88171 43a9dc 88169->88171 88170 43a9b7 pre_c_initialization __wsopen_s 88177 444acc RtlEnterCriticalSection 88171->88177 88173 43a9e7 88178 43aa88 88173->88178 88177->88173 88179 43aa96 88178->88179 88181 43a9f2 88179->88181 88184 448416 36 API calls 2 library calls 88179->88184 88183 43aa0f RtlLeaveCriticalSection std::_Lockit::~_Lockit 88181->88183 88182->88170 88183->88170 88184->88179 88185 402bcc 88186 402bd7 88185->88186 88187 402bdf 88185->88187 88203 403315 28 API calls __Getctype 88186->88203 88189 402beb 88187->88189 88193 4015d3 88187->88193 88190 402bdd 88195 43360d 88193->88195 88196 402be9 88195->88196 88199 43362e std::_Facet_Register 88195->88199 88204 43a88c 88195->88204 88211 442200 7 API calls 2 library calls 88195->88211 88198 433dec std::_Facet_Register 88213 437bd7 RaiseException 88198->88213 88199->88198 88212 437bd7 RaiseException 88199->88212 88202 433e09 88203->88190 88210 446aff _strftime 88204->88210 88205 446b3d 88215 445354 20 API calls __dosmaperr 88205->88215 88207 446b28 RtlAllocateHeap 88208 446b3b 88207->88208 88207->88210 88208->88195 88210->88205 88210->88207 88214 442200 7 API calls 2 library calls 88210->88214 88211->88195 88212->88198 88213->88202 88214->88210 88215->88208 88216 4339be 88217 4339ca __FrameHandler3::FrameUnwindToState 88216->88217 88248 4336b3 88217->88248 88219 4339d1 88220 433b24 88219->88220 88224 4339fb 88219->88224 88539 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 88220->88539 88222 433b2b 88540 4426be 28 API calls _abort 88222->88540 88236 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 88224->88236 88533 4434d1 5 API calls _ValidateLocalCookies 88224->88533 88225 433b31 88541 442670 28 API calls _abort 88225->88541 88228 433a14 88230 433a1a 88228->88230 88534 443475 5 API calls _ValidateLocalCookies 88228->88534 88229 433b39 88232 433a9b 88259 433c5e 88232->88259 88236->88232 88535 43edf4 35 API calls 4 library calls 88236->88535 88242 433abd 88242->88222 88243 433ac1 88242->88243 88244 433aca 88243->88244 88537 442661 28 API calls _abort 88243->88537 88538 433842 13 API calls 2 library calls 88244->88538 88247 433ad2 88247->88230 88249 4336bc 88248->88249 88542 433e0a IsProcessorFeaturePresent 88249->88542 88251 4336c8 88543 4379ee 10 API calls 3 library calls 88251->88543 88253 4336d1 88253->88219 88254 4336cd 88254->88253 88544 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 88254->88544 88256 4336da 88257 4336e8 88256->88257 88545 437a17 8 API calls 3 library calls 88256->88545 88257->88219 88546 436050 88259->88546 88261 433c71 GetStartupInfoW 88262 433aa1 88261->88262 88263 443422 88262->88263 88547 44ddc9 88263->88547 88265 44342b 88267 433aaa 88265->88267 88551 44e0d3 35 API calls 88265->88551 88268 40d767 88267->88268 88553 41bce3 LoadLibraryA GetProcAddress 88268->88553 88270 40d783 GetModuleFileNameW 88558 40e168 88270->88558 88272 40d79f 88273 401fbd 28 API calls 88272->88273 88274 40d7ae 88273->88274 88275 401fbd 28 API calls 88274->88275 88276 40d7bd 88275->88276 88277 41afc3 28 API calls 88276->88277 88278 40d7c6 88277->88278 88573 40e8bd 88278->88573 88280 40d7cf 88281 401d8c 11 API calls 88280->88281 88282 40d7d8 88281->88282 88283 40d835 88282->88283 88284 40d7eb 88282->88284 88285 401d64 22 API calls 88283->88285 88751 40e986 111 API calls 88284->88751 88288 40d845 88285->88288 88287 40d7fd 88289 401d64 22 API calls 88287->88289 88290 401d64 22 API calls 88288->88290 88293 40d809 88289->88293 88291 40d864 88290->88291 88577 404cbf 88291->88577 88752 40e937 65 API calls 88293->88752 88294 40d873 88581 405ce6 88294->88581 88297 40d87f 88299 401eef 11 API calls 88297->88299 88298 40d824 88753 40e155 65 API calls 88298->88753 88301 40d88b 88299->88301 88302 401eea 11 API calls 88301->88302 88303 40d894 88302->88303 88305 401eea 11 API calls 88303->88305 88304 401eea 11 API calls 88306 40dc9f 88304->88306 88307 40d89d 88305->88307 88536 433c94 GetModuleHandleW 88306->88536 88308 401d64 22 API calls 88307->88308 88309 40d8a6 88308->88309 88584 401ebd 88309->88584 88311 40d8b1 88312 401d64 22 API calls 88311->88312 88313 40d8ca 88312->88313 88314 401d64 22 API calls 88313->88314 88316 40d8e5 88314->88316 88315 40d946 88317 401d64 22 API calls 88315->88317 88332 40e134 88315->88332 88316->88315 88754 4085b4 28 API calls 88316->88754 88323 40d95d 88317->88323 88319 40d912 88320 401eef 11 API calls 88319->88320 88321 40d91e 88320->88321 88324 401eea 11 API calls 88321->88324 88322 40d9a4 88588 40bed7 88322->88588 88323->88322 88329 4124b7 3 API calls 88323->88329 88325 40d927 88324->88325 88755 4124b7 RegOpenKeyExA 88325->88755 88327 40d9aa 88328 40d82d 88327->88328 88591 41a463 88327->88591 88328->88304 88334 40d988 88329->88334 88789 412902 30 API calls 88332->88789 88333 40d9c5 88336 40da18 88333->88336 88608 40697b 88333->88608 88334->88322 88758 412902 30 API calls 88334->88758 88337 401d64 22 API calls 88336->88337 88340 40da21 88337->88340 88349 40da32 88340->88349 88350 40da2d 88340->88350 88342 40e14a 88790 4112b5 64 API calls ___scrt_fastfail 88342->88790 88343 40d9e4 88759 40699d 30 API calls 88343->88759 88344 40d9ee 88348 401d64 22 API calls 88344->88348 88357 40d9f7 88348->88357 88354 401d64 22 API calls 88349->88354 88762 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 88350->88762 88351 40d9e9 88760 4064d0 97 API calls 88351->88760 88355 40da3b 88354->88355 88612 41ae08 88355->88612 88357->88336 88359 40da13 88357->88359 88358 40da46 88616 401e18 88358->88616 88761 4064d0 97 API calls 88359->88761 88362 40da51 88620 401e13 88362->88620 88364 40da5a 88365 401d64 22 API calls 88364->88365 88366 40da63 88365->88366 88367 401d64 22 API calls 88366->88367 88368 40da7d 88367->88368 88369 401d64 22 API calls 88368->88369 88370 40da97 88369->88370 88371 401d64 22 API calls 88370->88371 88373 40dab0 88371->88373 88372 40db1d 88375 40db2c 88372->88375 88379 40dcaa ___scrt_fastfail 88372->88379 88373->88372 88374 401d64 22 API calls 88373->88374 88378 40dac5 _wcslen 88374->88378 88376 401d64 22 API calls 88375->88376 88382 40dbb1 88375->88382 88377 40db3e 88376->88377 88380 401d64 22 API calls 88377->88380 88378->88372 88383 401d64 22 API calls 88378->88383 88765 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 88379->88765 88381 40db50 88380->88381 88386 401d64 22 API calls 88381->88386 88404 40dbac ___scrt_fastfail 88382->88404 88384 40dae0 88383->88384 88388 401d64 22 API calls 88384->88388 88387 40db62 88386->88387 88391 401d64 22 API calls 88387->88391 88389 40daf5 88388->88389 88624 40c89e 88389->88624 88390 40dcef 88392 401d64 22 API calls 88390->88392 88394 40db8b 88391->88394 88395 40dd16 88392->88395 88399 401d64 22 API calls 88394->88399 88766 401f66 88395->88766 88397 401e18 11 API calls 88398 40db14 88397->88398 88402 401e13 11 API calls 88398->88402 88403 40db9c 88399->88403 88401 40dd25 88770 4126d2 14 API calls 88401->88770 88402->88372 88681 40bc67 88403->88681 88404->88382 88763 4128a2 31 API calls 88404->88763 88408 40dd3b 88410 401d64 22 API calls 88408->88410 88409 40dc45 ctype 88411 401d64 22 API calls 88409->88411 88412 40dd47 88410->88412 88415 40dc5c 88411->88415 88771 43a5e7 39 API calls _strftime 88412->88771 88414 40dd54 88416 40dd81 88414->88416 88772 41beb0 87 API calls ___scrt_fastfail 88414->88772 88415->88390 88417 401d64 22 API calls 88415->88417 88420 401f66 28 API calls 88416->88420 88418 40dc7e 88417->88418 88421 41ae08 28 API calls 88418->88421 88423 40dd96 88420->88423 88424 40dc87 88421->88424 88422 40dd65 CreateThread 88422->88416 88929 41c96f 10 API calls 88422->88929 88425 401f66 28 API calls 88423->88425 88764 40e219 112 API calls 88424->88764 88427 40dda5 88425->88427 88773 41a686 79 API calls 88427->88773 88428 40dc8c 88428->88390 88430 40dc93 88428->88430 88430->88328 88431 40ddaa 88432 401d64 22 API calls 88431->88432 88433 40ddb6 88432->88433 88434 401d64 22 API calls 88433->88434 88435 40ddcb 88434->88435 88436 401d64 22 API calls 88435->88436 88437 40ddeb 88436->88437 88774 43a5e7 39 API calls _strftime 88437->88774 88439 40ddf8 88440 401d64 22 API calls 88439->88440 88441 40de03 88440->88441 88442 401d64 22 API calls 88441->88442 88443 40de14 88442->88443 88444 401d64 22 API calls 88443->88444 88445 40de29 88444->88445 88446 401d64 22 API calls 88445->88446 88447 40de3a 88446->88447 88448 40de41 StrToIntA 88447->88448 88775 409517 144 API calls _wcslen 88448->88775 88450 40de53 88451 401d64 22 API calls 88450->88451 88453 40de5c 88451->88453 88452 40dea1 88455 401d64 22 API calls 88452->88455 88453->88452 88776 43360d 22 API calls 3 library calls 88453->88776 88461 40deb1 88455->88461 88456 40de71 88457 401d64 22 API calls 88456->88457 88458 40de84 88457->88458 88459 40de8b CreateThread 88458->88459 88459->88452 88930 419128 109 API calls 2 library calls 88459->88930 88460 40def9 88462 401d64 22 API calls 88460->88462 88461->88460 88777 43360d 22 API calls 3 library calls 88461->88777 88468 40df02 88462->88468 88464 40dec6 88465 401d64 22 API calls 88464->88465 88466 40ded8 88465->88466 88469 40dedf CreateThread 88466->88469 88467 40df6c 88470 401d64 22 API calls 88467->88470 88468->88467 88471 401d64 22 API calls 88468->88471 88469->88460 88928 419128 109 API calls 2 library calls 88469->88928 88473 40df75 88470->88473 88472 40df1e 88471->88472 88475 401d64 22 API calls 88472->88475 88474 40dfba 88473->88474 88477 401d64 22 API calls 88473->88477 88781 41a7a2 30 API calls 88474->88781 88478 40df33 88475->88478 88480 40df8a 88477->88480 88778 40c854 32 API calls 88478->88778 88479 40dfc3 88481 401e18 11 API calls 88479->88481 88486 401d64 22 API calls 88480->88486 88482 40dfce 88481->88482 88485 401e13 11 API calls 88482->88485 88484 40df46 88488 401e18 11 API calls 88484->88488 88489 40dfd7 CreateThread 88485->88489 88487 40df9f 88486->88487 88779 43a5e7 39 API calls _strftime 88487->88779 88490 40df52 88488->88490 88492 40e004 88489->88492 88493 40dff8 CreateThread 88489->88493 88931 40e54f 82 API calls 88489->88931 88494 401e13 11 API calls 88490->88494 88495 40e019 88492->88495 88496 40e00d CreateThread 88492->88496 88493->88492 88932 410f36 139 API calls 88493->88932 88498 40df5b CreateThread 88494->88498 88500 40e073 88495->88500 88502 401f66 28 API calls 88495->88502 88496->88495 88926 411524 38 API calls ___scrt_fastfail 88496->88926 88498->88467 88927 40196b 49 API calls _strftime 88498->88927 88499 40dfac 88780 40b95c 7 API calls 88499->88780 88784 41246e RegOpenKeyExA RegQueryValueExA RegCloseKey 88500->88784 88503 40e046 88502->88503 88782 404c9e 28 API calls 88503->88782 88506 40e08b 88508 40e12a 88506->88508 88511 41ae08 28 API calls 88506->88511 88507 40e053 88509 401f66 28 API calls 88507->88509 88787 40cbac 27 API calls 88508->88787 88512 40e062 88509->88512 88514 40e0a4 88511->88514 88783 41a686 79 API calls 88512->88783 88513 40e12f 88788 413fd4 170 API calls _strftime 88513->88788 88785 412584 31 API calls 88514->88785 88517 40e067 88518 401eea 11 API calls 88517->88518 88518->88500 88520 40e0ba 88521 401e13 11 API calls 88520->88521 88524 40e0c5 88521->88524 88522 40e0ed DeleteFileW 88523 40e0f4 88522->88523 88522->88524 88526 41ae08 28 API calls 88523->88526 88524->88522 88524->88523 88525 40e0db Sleep 88524->88525 88525->88524 88527 40e104 88526->88527 88786 41297a RegOpenKeyExW RegDeleteValueW 88527->88786 88529 40e117 88530 401e13 11 API calls 88529->88530 88531 40e121 88530->88531 88532 401e13 11 API calls 88531->88532 88532->88508 88533->88228 88534->88236 88535->88232 88536->88242 88537->88244 88538->88247 88539->88222 88540->88225 88541->88229 88542->88251 88543->88254 88544->88256 88545->88253 88546->88261 88548 44dddb 88547->88548 88549 44ddd2 88547->88549 88548->88265 88552 44dcc8 48 API calls 5 library calls 88549->88552 88551->88265 88552->88548 88554 41bd22 LoadLibraryA GetProcAddress 88553->88554 88555 41bd12 GetModuleHandleA GetProcAddress 88553->88555 88556 41bd4b 32 API calls 88554->88556 88557 41bd3b LoadLibraryA GetProcAddress 88554->88557 88555->88554 88556->88270 88557->88556 88791 41a63f FindResourceA 88558->88791 88561 43a88c ___std_exception_copy 21 API calls 88562 40e192 ctype 88561->88562 88563 401f86 28 API calls 88562->88563 88564 40e1ad 88563->88564 88565 401eef 11 API calls 88564->88565 88566 40e1b8 88565->88566 88567 401eea 11 API calls 88566->88567 88568 40e1c1 88567->88568 88569 43a88c ___std_exception_copy 21 API calls 88568->88569 88570 40e1d2 ctype 88569->88570 88794 406052 88570->88794 88572 40e205 88572->88272 88574 40e8ca 88573->88574 88576 40e8da 88574->88576 88797 40200a 11 API calls 88574->88797 88576->88280 88578 404ccb 88577->88578 88798 402e78 88578->88798 88580 404cee 88580->88294 88807 404bc4 88581->88807 88583 405cf4 88583->88297 88586 401ec9 88584->88586 88585 401ee4 88585->88311 88586->88585 88587 402325 28 API calls 88586->88587 88587->88585 88816 401e8f 88588->88816 88590 40bee1 CreateMutexA GetLastError 88590->88327 88818 41b15b 88591->88818 88593 41a471 88822 412513 RegOpenKeyExA 88593->88822 88596 401eef 11 API calls 88597 41a49f 88596->88597 88598 401eea 11 API calls 88597->88598 88599 41a4a7 88598->88599 88600 41a4fa 88599->88600 88601 412513 31 API calls 88599->88601 88600->88333 88602 41a4cd 88601->88602 88603 41a4d8 StrToIntA 88602->88603 88604 41a4ef 88603->88604 88605 41a4e6 88603->88605 88607 401eea 11 API calls 88604->88607 88827 41c102 22 API calls 88605->88827 88607->88600 88609 40698f 88608->88609 88610 4124b7 3 API calls 88609->88610 88611 406996 88610->88611 88611->88343 88611->88344 88613 41ae1c 88612->88613 88828 40b027 88613->88828 88615 41ae24 88615->88358 88617 401e27 88616->88617 88619 401e33 88617->88619 88837 402121 11 API calls 88617->88837 88619->88362 88622 402121 88620->88622 88621 402150 88621->88364 88622->88621 88838 402718 11 API calls _Deallocate 88622->88838 88625 40c8ba 88624->88625 88626 40c8da 88625->88626 88627 40c90f 88625->88627 88637 40c8d0 88625->88637 88843 41a74b 29 API calls 88626->88843 88628 41b15b 2 API calls 88627->88628 88632 40c914 88628->88632 88630 40ca03 GetLongPathNameW 88839 403b40 88630->88839 88635 40c918 88632->88635 88636 40c96a 88632->88636 88633 40c8e3 88638 401e18 11 API calls 88633->88638 88641 403b40 28 API calls 88635->88641 88640 403b40 28 API calls 88636->88640 88637->88630 88642 40c8ed 88638->88642 88639 403b40 28 API calls 88643 40ca27 88639->88643 88644 40c978 88640->88644 88645 40c926 88641->88645 88647 401e13 11 API calls 88642->88647 88846 40cc37 28 API calls 88643->88846 88650 403b40 28 API calls 88644->88650 88651 403b40 28 API calls 88645->88651 88647->88637 88648 40ca3a 88847 402860 28 API calls 88648->88847 88653 40c98e 88650->88653 88654 40c93c 88651->88654 88652 40ca45 88848 402860 28 API calls 88652->88848 88845 402860 28 API calls 88653->88845 88844 402860 28 API calls 88654->88844 88658 40ca4f 88661 401e13 11 API calls 88658->88661 88659 40c999 88662 401e18 11 API calls 88659->88662 88660 40c947 88663 401e18 11 API calls 88660->88663 88664 40ca59 88661->88664 88665 40c9a4 88662->88665 88666 40c952 88663->88666 88667 401e13 11 API calls 88664->88667 88668 401e13 11 API calls 88665->88668 88669 401e13 11 API calls 88666->88669 88671 40ca62 88667->88671 88672 40c9ad 88668->88672 88670 40c95b 88669->88670 88674 401e13 11 API calls 88670->88674 88675 401e13 11 API calls 88671->88675 88673 401e13 11 API calls 88672->88673 88673->88642 88674->88642 88676 40ca6b 88675->88676 88677 401e13 11 API calls 88676->88677 88678 40ca74 88677->88678 88679 401e13 11 API calls 88678->88679 88680 40ca7d 88679->88680 88680->88397 88682 40bc7a _wcslen 88681->88682 88683 40bc84 88682->88683 88684 40bcce 88682->88684 88687 40bc8d CreateDirectoryW 88683->88687 88685 40c89e 32 API calls 88684->88685 88686 40bce0 88685->88686 88688 401e18 11 API calls 88686->88688 88850 40856b 88687->88850 88698 40bccc 88688->88698 88690 40bca9 88884 4028cf 88690->88884 88691 401e13 11 API calls 88696 40bcf7 88691->88696 88693 40bcb5 88694 401e18 11 API calls 88693->88694 88695 40bcc3 88694->88695 88697 401e13 11 API calls 88695->88697 88699 40bd10 88696->88699 88700 40bd2d 88696->88700 88697->88698 88698->88691 88703 40bb7b 31 API calls 88699->88703 88701 40bd36 CopyFileW 88700->88701 88702 40be07 88701->88702 88704 40bd48 _wcslen 88701->88704 88856 40bb7b 88702->88856 88733 40bd21 88703->88733 88704->88702 88706 40bd64 88704->88706 88707 40bdb7 88704->88707 88709 40c89e 32 API calls 88706->88709 88710 40c89e 32 API calls 88707->88710 88715 40bd6a 88709->88715 88714 40bdbd 88710->88714 88711 40be21 88719 40be2a SetFileAttributesW 88711->88719 88712 40be4d 88713 40be95 CloseHandle 88712->88713 88716 403b40 28 API calls 88712->88716 88882 401e07 88713->88882 88718 401e18 11 API calls 88714->88718 88717 401e18 11 API calls 88715->88717 88721 40be63 88716->88721 88723 40bd76 88717->88723 88722 40bdb1 88718->88722 88736 40be39 _wcslen 88719->88736 88725 41ae08 28 API calls 88721->88725 88731 401e13 11 API calls 88722->88731 88726 401e13 11 API calls 88723->88726 88724 40beb1 ShellExecuteW 88727 40bec4 88724->88727 88728 40bece ExitProcess 88724->88728 88730 40be76 88725->88730 88732 40bd7f 88726->88732 88729 40bed7 CreateMutexA GetLastError 88727->88729 88729->88733 88887 412774 RegCreateKeyW 88730->88887 88735 40bdcf 88731->88735 88734 40856b 28 API calls 88732->88734 88733->88404 88738 40bd93 88734->88738 88741 40bddb CreateDirectoryW 88735->88741 88736->88712 88737 40be4a SetFileAttributesW 88736->88737 88737->88712 88740 4028cf 28 API calls 88738->88740 88742 40bd9f 88740->88742 88744 401e07 88741->88744 88745 401e18 11 API calls 88742->88745 88746 40bdeb CopyFileW 88744->88746 88749 40bda8 88745->88749 88746->88702 88748 40bdf8 88746->88748 88747 401e13 11 API calls 88747->88713 88748->88733 88750 401e13 11 API calls 88749->88750 88750->88722 88751->88287 88752->88298 88754->88319 88756 4124e1 RegQueryValueExA RegCloseKey 88755->88756 88757 41250b 88755->88757 88756->88757 88757->88315 88758->88322 88759->88351 88760->88344 88761->88336 88762->88349 88763->88409 88764->88428 88765->88390 88767 401f6e 88766->88767 88921 402301 88767->88921 88770->88408 88771->88414 88772->88422 88773->88431 88774->88439 88775->88450 88776->88456 88777->88464 88778->88484 88779->88499 88780->88474 88781->88479 88782->88507 88783->88517 88784->88506 88785->88520 88786->88529 88787->88513 88925 419e89 105 API calls 88788->88925 88789->88342 88792 40e183 88791->88792 88793 41a65c LoadResource LockResource SizeofResource 88791->88793 88792->88561 88793->88792 88795 401f86 28 API calls 88794->88795 88796 406066 88795->88796 88796->88572 88797->88576 88800 402e85 88798->88800 88799 402ea9 88799->88580 88800->88799 88801 402e98 88800->88801 88803 402eae 88800->88803 88805 403445 28 API calls 88801->88805 88803->88799 88806 40225b 11 API calls 88803->88806 88805->88799 88806->88799 88808 404bd0 88807->88808 88811 40245c 88808->88811 88810 404be4 88810->88583 88812 402469 88811->88812 88814 402478 88812->88814 88815 402ad3 28 API calls 88812->88815 88814->88810 88815->88814 88817 401e94 88816->88817 88819 41b183 88818->88819 88820 41b168 GetCurrentProcess IsWow64Process 88818->88820 88819->88593 88820->88819 88821 41b17f 88820->88821 88821->88593 88823 412541 RegQueryValueExA RegCloseKey 88822->88823 88824 412569 88822->88824 88823->88824 88825 401f66 28 API calls 88824->88825 88826 41257e 88825->88826 88826->88596 88827->88604 88829 40b02f 88828->88829 88832 40b04b 88829->88832 88831 40b045 88831->88615 88833 40b055 88832->88833 88835 40b060 88833->88835 88836 40b138 28 API calls 88833->88836 88835->88831 88836->88835 88837->88619 88838->88621 88840 403b48 88839->88840 88849 403b7a 28 API calls 88840->88849 88842 403b5a 88842->88639 88843->88633 88844->88660 88845->88659 88846->88648 88847->88652 88848->88658 88849->88842 88851 408577 88850->88851 88893 402ca8 88851->88893 88855 4085a3 88855->88690 88857 40bba1 88856->88857 88858 40bbdd 88856->88858 88911 40b0dd 88857->88911 88860 40bc1e 88858->88860 88863 40b0dd 28 API calls 88858->88863 88862 40bc5f 88860->88862 88865 40b0dd 28 API calls 88860->88865 88862->88711 88862->88712 88866 40bbf4 88863->88866 88864 4028cf 28 API calls 88868 40bbbd 88864->88868 88869 40bc35 88865->88869 88867 4028cf 28 API calls 88866->88867 88870 40bbfe 88867->88870 88871 412774 14 API calls 88868->88871 88872 4028cf 28 API calls 88869->88872 88873 412774 14 API calls 88870->88873 88874 40bbd1 88871->88874 88875 40bc3f 88872->88875 88876 40bc12 88873->88876 88877 401e13 11 API calls 88874->88877 88878 412774 14 API calls 88875->88878 88879 401e13 11 API calls 88876->88879 88877->88858 88880 40bc53 88878->88880 88879->88860 88881 401e13 11 API calls 88880->88881 88881->88862 88883 401e0c 88882->88883 88917 402d8b 88884->88917 88886 4028dd 88886->88693 88888 4127c6 88887->88888 88889 412789 88887->88889 88890 401e13 11 API calls 88888->88890 88892 4127a2 RegSetValueExW RegCloseKey 88889->88892 88891 40be89 88890->88891 88891->88747 88892->88888 88894 402cb5 88893->88894 88895 402cc8 88894->88895 88897 402cd9 88894->88897 88898 402cde 88894->88898 88904 403374 28 API calls 88895->88904 88900 402de3 88897->88900 88898->88897 88905 402f21 11 API calls 88898->88905 88901 402daf 88900->88901 88906 4030f7 88901->88906 88903 402dcd 88903->88855 88904->88897 88905->88897 88907 403101 88906->88907 88909 403115 88907->88909 88910 4036c2 28 API calls 88907->88910 88909->88903 88910->88909 88912 40b0e9 88911->88912 88913 402ca8 28 API calls 88912->88913 88914 40b10c 88913->88914 88915 402de3 28 API calls 88914->88915 88916 40b11f 88915->88916 88916->88864 88918 402d97 88917->88918 88919 4030f7 28 API calls 88918->88919 88920 402dab 88919->88920 88920->88886 88922 40230d 88921->88922 88923 402325 28 API calls 88922->88923 88924 401f80 88923->88924 88924->88401 88933 411637 62 API calls 88932->88933 88934 2cd9e23 88935 2cd9e69 88934->88935 88936 2cd9e26 88934->88936 88939 2cd9e2e 88936->88939 88940 2cd9e3d 88939->88940 88943 2cda5ce 88940->88943 88949 2cda5e9 88943->88949 88944 2cda5f2 CreateToolhelp32Snapshot 88945 2cda60e Module32First 88944->88945 88944->88949 88946 2cda61d 88945->88946 88947 2cd9e2d 88945->88947 88950 2cda28d 88946->88950 88949->88944 88949->88945 88951 2cda2b8 88950->88951 88952 2cda2c9 VirtualAlloc 88951->88952 88953 2cda301 88951->88953 88952->88953 88953->88953

                                                  Executed Functions

                                                  Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$HandleLibraryLoadModule
                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                  • API String ID: 384173800-625181639
                                                  • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                  • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                  • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                  • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                  Function 0040D767 Relevance: 93.5, APIs: 12, Strings: 41, Instructions: 799COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 101 40e134-40e154 call 401e8f call 412902 call 4112b5 70->101 89 40d9b5-40d9bc 79->89 90 40d9ae-40d9b0 79->90 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 94 40d9c0-40d9cc call 41a463 89->94 95 40d9be 89->95 93 40dc95 90->93 93->49 105 40d9d5-40d9d9 94->105 106 40d9ce-40d9d0 94->106 95->94 99->79 108 40da18-40da2b call 401d64 call 401e8f 105->108 109 40d9db call 40697b 105->109 106->105 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 141 40da13 call 4064d0 140->141 141->108 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 190 40dad7-40db03 call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e 164->190 222 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->222 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dba7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 177 40dbc0-40dbe4 call 4022f8 call 4338c8 169->177 257 40dbac-40dbaf 170->257 198 40dbf3 177->198 199 40dbe6-40dbf1 call 436050 177->199 232 40db08-40db1d call 401e18 call 401e13 190->232 204 40dbf5-40dc6a call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 call 4338d1 call 401d64 call 40b125 198->204 199->204 204->222 272 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 204->272 273 40dd79-40dd7b 222->273 274 40dd5e 222->274 232->163 257->177 272->222 292 40dc93 272->292 275 40dd81 273->275 276 40dd7d-40dd7f 273->276 278 40dd60-40dd77 call 41beb0 CreateThread 274->278 279 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->279 276->278 278->279 330 40dea1 279->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 279->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->344 353 40df6c-40df7f call 401d64 call 401e8f 343->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->354 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 388 40dfe0 366->388 389 40dfe3-40dff6 CreateThread 366->389 388->389 390 40e004-40e00b 389->390 391 40dff8-40e002 CreateThread 389->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->101 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                  APIs
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\advancePayment-pdf.exe,00000104), ref: 0040D790
                                                    • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                  • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\advancePayment-pdf.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-I7G983$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                  • API String ID: 2830904901-111635378
                                                  • Opcode ID: 1484b2f7a7f91c3ee938c637a9a7dae7839d2338987acae383d1c6a0cb17adc1
                                                  • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                  • Opcode Fuzzy Hash: 1484b2f7a7f91c3ee938c637a9a7dae7839d2338987acae383d1c6a0cb17adc1
                                                  • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                  Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0040BC75
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\advancePayment-pdf.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                  • _wcslen.LIBCMT ref: 0040BD54
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\advancePayment-pdf.exe,00000000,00000000), ref: 0040BDF2
                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                  • _wcslen.LIBCMT ref: 0040BE34
                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                  • ExitProcess.KERNEL32 ref: 0040BED0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                  • String ID: 6$C:\Users\user\Desktop\advancePayment-pdf.exe$del$open$BG$BG
                                                  • API String ID: 1579085052-2550008765
                                                  • Opcode ID: 1dfc8a95e9f2fa8f15eef755b153a8034996a407d8c67b2864cbd51f99b60f53
                                                  • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                  • Opcode Fuzzy Hash: 1dfc8a95e9f2fa8f15eef755b153a8034996a407d8c67b2864cbd51f99b60f53
                                                  • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                  Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LongNamePath
                                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                  • API String ID: 82841172-425784914
                                                  • Opcode ID: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                                  • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                  • Opcode Fuzzy Hash: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                                  • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                  Function 047B003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 628 47b003c-47b0047 629 47b0049 628->629 630 47b004c-47b0263 call 47b0a3f call 47b0e0f call 47b0d90 VirtualAlloc 628->630 629->630 645 47b028b-47b0292 630->645 646 47b0265-47b0289 call 47b0a69 630->646 648 47b02a1-47b02b0 645->648 650 47b02ce-47b03c2 VirtualProtect call 47b0cce call 47b0ce7 646->650 648->650 651 47b02b2-47b02cc 648->651 657 47b03d1-47b03e0 650->657 651->648 658 47b0439-47b04b8 VirtualFree 657->658 659 47b03e2-47b0437 call 47b0ce7 657->659 661 47b04be-47b04cd 658->661 662 47b05f4-47b05fe 658->662 659->657 664 47b04d3-47b04dd 661->664 665 47b077f-47b0789 662->665 666 47b0604-47b060d 662->666 664->662 670 47b04e3-47b0505 LoadLibraryA 664->670 668 47b078b-47b07a3 665->668 669 47b07a6-47b07b0 665->669 666->665 671 47b0613-47b0637 666->671 668->669 672 47b086e-47b08be LoadLibraryA 669->672 673 47b07b6-47b07cb 669->673 674 47b0517-47b0520 670->674 675 47b0507-47b0515 670->675 676 47b063e-47b0648 671->676 681 47b08c7-47b08f9 672->681 677 47b07d2-47b07d5 673->677 678 47b0526-47b0547 674->678 675->678 676->665 679 47b064e-47b065a 676->679 682 47b07d7-47b07e0 677->682 683 47b0824-47b0833 677->683 684 47b054d-47b0550 678->684 679->665 680 47b0660-47b066a 679->680 687 47b067a-47b0689 680->687 689 47b08fb-47b0901 681->689 690 47b0902-47b091d 681->690 691 47b07e2 682->691 692 47b07e4-47b0822 682->692 688 47b0839-47b083c 683->688 685 47b05e0-47b05ef 684->685 686 47b0556-47b056b 684->686 685->664 693 47b056f-47b057a 686->693 694 47b056d 686->694 695 47b068f-47b06b2 687->695 696 47b0750-47b077a 687->696 688->672 697 47b083e-47b0847 688->697 689->690 691->683 692->677 698 47b059b-47b05bb 693->698 699 47b057c-47b0599 693->699 694->685 700 47b06ef-47b06fc 695->700 701 47b06b4-47b06ed 695->701 696->676 702 47b084b-47b086c 697->702 703 47b0849 697->703 711 47b05bd-47b05db 698->711 699->711 705 47b074b 700->705 706 47b06fe-47b0748 700->706 701->700 702->688 703->672 705->687 706->705 711->684
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 047B024D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID: cess$kernel32.dll
                                                  • API String ID: 4275171209-1230238691
                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                  • Instruction ID: a2a042365d9d704289b5850990de89eecb3c978766c0bc187cba3c45edbb1da8
                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                  • Instruction Fuzzy Hash: F6527974A01269DFDB64CF68C984BADBBB1BF09304F1480D9E94DAB351DB30AA84DF54
                                                  Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                    • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                    • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                    • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                    • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                  • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                  • API String ID: 782494840-2070987746
                                                  • Opcode ID: c28e8bf06c7bd464c54825a7174b2fee0dd0f803164bd22ac966e04bdcbe38d4
                                                  • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                  • Opcode Fuzzy Hash: c28e8bf06c7bd464c54825a7174b2fee0dd0f803164bd22ac966e04bdcbe38d4
                                                  • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                  Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 736 412774-412787 RegCreateKeyW 737 4127c6 736->737 738 412789-4127c4 call 4022f8 call 401e07 RegSetValueExW RegCloseKey 736->738 740 4127c8-4127d4 call 401e13 737->740 738->740
                                                  APIs
                                                  • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
                                                  • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004742E0,759237E0,?), ref: 004127AD
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004742E0,759237E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                  • API String ID: 1818849710-1051519024
                                                  • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                  • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                  • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                  • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                  Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • waveInPrepareHeader.WINMM(02D254B8,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                  • waveInAddBuffer.WINMM(02D254B8,00000020,?,00000000,00401913), ref: 0040175D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferHeaderPrepare
                                                  • String ID: T=G
                                                  • API String ID: 2315374483-379896819
                                                  • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                  • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                  • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                  • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                  Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 755 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                  • GetLastError.KERNEL32 ref: 0040BEF1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateErrorLastMutex
                                                  • String ID: Rmc-I7G983
                                                  • API String ID: 1925916568-3173645232
                                                  • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                  • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                  • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                  • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                  Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 758 412513-41253f RegOpenKeyExA 759 412541-412567 RegQueryValueExA RegCloseKey 758->759 760 412572 758->760 759->760 761 412569-412570 759->761 762 412577-412583 call 401f66 760->762 761->762
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                  • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                                  • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                  • Opcode Fuzzy Hash: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                                  • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                  Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 765 4124b7-4124df RegOpenKeyExA 766 4124e1-412509 RegQueryValueExA RegCloseKey 765->766 767 41250f-412512 765->767 766->767 768 41250b-41250e 766->768
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                  • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                  • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                  • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                  Function 00403FCD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00403FD2
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prologsend
                                                  • String ID: >G
                                                  • API String ID: 2679777229-1296849874
                                                  • Opcode ID: 728b37a31da1c7bff0accb9b0478e21fdf66f186c638c79d333b9da4a1c5e862
                                                  • Instruction ID: b76359867f42d365a01154a9203e7742ae616bd168be0e03e69396830447a10f
                                                  • Opcode Fuzzy Hash: 728b37a31da1c7bff0accb9b0478e21fdf66f186c638c79d333b9da4a1c5e862
                                                  • Instruction Fuzzy Hash: 6C214132E001089BDB04EBA5D997AEEB7B5EF50715F20413EB416B31D2EF385A058B98
                                                  Function 02CDA5CE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 828 2cda5ce-2cda5e7 829 2cda5e9-2cda5eb 828->829 830 2cda5ed 829->830 831 2cda5f2-2cda5fe CreateToolhelp32Snapshot 829->831 830->831 832 2cda60e-2cda61b Module32First 831->832 833 2cda600-2cda606 831->833 834 2cda61d-2cda61e call 2cda28d 832->834 835 2cda624-2cda62c 832->835 833->832 840 2cda608-2cda60c 833->840 838 2cda623 834->838 838->835 840->829 840->832
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02CDA5F6
                                                  • Module32First.KERNEL32(00000000,00000224), ref: 02CDA616
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2301934227.0000000002CD9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CD9000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2cd9000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 3833638111-0
                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                  • Instruction ID: aebfc428d749a79e1343da6320563031981c9eddb84769354809058f4ba66123
                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                  • Instruction Fuzzy Hash: 7CF09636100711ABD7203BF6988CBAEB6E8EF89669F100629F747915C0DB70E9454A65
                                                  Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 841 43360d-433610 842 43361f-433622 call 43a88c 841->842 844 433627-43362a 842->844 845 433612-43361d call 442200 844->845 846 43362c-43362d 844->846 845->842 849 43362e-433632 845->849 850 433638-433dec call 433d58 call 437bd7 849->850 851 433ded-433e09 call 433d8b call 437bd7 849->851 850->851
                                                  APIs
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                    • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,1DC,?,00475B70,00473D54,00000000,?,?,?,?,00434431,?,0046D680,?), ref: 00437C37
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3476068407-0
                                                  • Opcode ID: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                  • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                  • Opcode Fuzzy Hash: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                  • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                  Function 047B0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000400,?,?,047B0223,?,?), ref: 047B0E19
                                                  • SetErrorMode.KERNEL32(00000000,?,?,047B0223,?,?), ref: 047B0E1E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                  • Instruction ID: 96320461ab0832201fcf10c61558358d22b4a0c9baf4dd566703744f564f743c
                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                  • Instruction Fuzzy Hash: EFD0123114512877D7003AA4DC09BCE7B1CDF05B62F008011FB0DD9180C770954046E5
                                                  Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                  • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                  • Opcode Fuzzy Hash: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                  • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                  Function 02CDA28D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02CDA2DE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2301934227.0000000002CD9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CD9000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2cd9000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                  • Instruction ID: d755d617126d1c4e110fba2a60f25002e88dacc7f585f28d1a5e540ab10748ea
                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                  • Instruction Fuzzy Hash: DA113C79A00208EFDB01DF98C985E98BFF5AF08351F058095FA489B362D371EA50EF80

                                                  Non-executed Functions

                                                  Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                  • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                    • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                    • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                    • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                    • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                    • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                    • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                    • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                    • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                    • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                    • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                  • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                    • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                    • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                    • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                  • Sleep.KERNEL32(000007D0), ref: 00407976
                                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                    • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                  • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                  • API String ID: 2918587301-599666313
                                                  • Opcode ID: fe774ec57ea4c9c98434e9a8a4b205946b127d152570ca2712e415059fb31443
                                                  • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                  • Opcode Fuzzy Hash: fe774ec57ea4c9c98434e9a8a4b205946b127d152570ca2712e415059fb31443
                                                  • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                  Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 0040508E
                                                    • Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                    • Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  • __Init_thread_footer.LIBCMT ref: 004050CB
                                                  • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                  • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                    • Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                    • Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                    • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                  • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                  • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                  • CloseHandle.KERNEL32 ref: 004053CD
                                                  • CloseHandle.KERNEL32 ref: 004053D5
                                                  • CloseHandle.KERNEL32 ref: 004053E7
                                                  • CloseHandle.KERNEL32 ref: 004053EF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                  • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                  • API String ID: 3815868655-81343324
                                                  • Opcode ID: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                                  • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                  • Opcode Fuzzy Hash: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                                  • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                  Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                    • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                  • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                    • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                    • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                    • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                  • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                  • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                  • API String ID: 65172268-860466531
                                                  • Opcode ID: d192d8a590ecce51a9812f84f69104631043a8cd194a5600cb3b3bff2e47a3d7
                                                  • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                  • Opcode Fuzzy Hash: d192d8a590ecce51a9812f84f69104631043a8cd194a5600cb3b3bff2e47a3d7
                                                  • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                  Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                  • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                  • FindClose.KERNEL32(00000000), ref: 0040B517
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                  • API String ID: 1164774033-3681987949
                                                  • Opcode ID: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                  • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                  • Opcode Fuzzy Hash: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                  • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                  Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windownativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDefWindowProc_A.USER32(?,00000401,?,?), ref: 0041CAE9
                                                  • GetCursorPos.USER32(?), ref: 0041CAF8
                                                  • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                  • Shell_NotifyIcon.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                  • ExitProcess.KERNEL32 ref: 0041CB74
                                                  • CreatePopupMenu.USER32 ref: 0041CB7A
                                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                                                  • String ID: Close
                                                  • API String ID: 1665278180-3535843008
                                                  • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                  • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                  • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                  • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                  Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                  • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                  • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                  • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$Close$File$FirstNext
                                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                  • API String ID: 3527384056-432212279
                                                  • Opcode ID: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                  • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                  • Opcode Fuzzy Hash: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                  • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                  Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                  • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                    • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                  • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                  • API String ID: 726551946-3025026198
                                                  • Opcode ID: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                  • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                  • Opcode Fuzzy Hash: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                  • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                  Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32 ref: 004159C7
                                                  • EmptyClipboard.USER32 ref: 004159D5
                                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                  • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                  • CloseClipboard.USER32 ref: 00415A5A
                                                  • OpenClipboard.USER32 ref: 00415A61
                                                  • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                  • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                  • CloseClipboard.USER32 ref: 00415A89
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                  • String ID:
                                                  • API String ID: 3520204547-0
                                                  • Opcode ID: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                  • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                  • Opcode Fuzzy Hash: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                  • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                  Function 047CCD05 Relevance: 18.1, APIs: 12, Instructions: 73windownativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 047CCD50
                                                  • GetCursorPos.USER32(?), ref: 047CCD5F
                                                  • SetForegroundWindow.USER32(?), ref: 047CCD68
                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 047CCD82
                                                  • Shell_NotifyIcon.SHELL32(00000002,00473B50), ref: 047CCDD3
                                                  • ExitProcess.KERNEL32 ref: 047CCDDB
                                                  • CreatePopupMenu.USER32 ref: 047CCDE1
                                                  • AppendMenuA.USER32(00000000,00000000,00000000,0046C11C), ref: 047CCDF6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                                                  • String ID:
                                                  • API String ID: 1665278180-0
                                                  • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                  • Instruction ID: e0b8bdb92f84840a64b71d5d0b403149dceb34dd9e5faff20534b63bd93b65df
                                                  • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                  • Instruction Fuzzy Hash: C221C931104206EFDB165F64FD0EAA93F7AEB04342F04457CBA0AA5172D7B5EA60FB18
                                                  Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0$1$2$3$4$5$6$7
                                                  • API String ID: 0-3177665633
                                                  • Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                  • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                  • Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                  • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                  Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 00409B3F
                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                  • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                  • GetKeyState.USER32(00000010), ref: 00409B5C
                                                  • GetKeyboardState.USER32(?), ref: 00409B67
                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                  • String ID: 8[G
                                                  • API String ID: 1888522110-1691237782
                                                  • Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                  • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                  • Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                  • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                  Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 00406788
                                                  • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object_wcslen
                                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                  • API String ID: 240030777-3166923314
                                                  • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                  • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                  • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                  • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                  Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                  • GetLastError.KERNEL32 ref: 00419935
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                  • String ID:
                                                  • API String ID: 3587775597-0
                                                  • Opcode ID: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                  • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                  • Opcode Fuzzy Hash: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                  • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                  Function 047C9B29 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 047C9B3F
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 047C9B8E
                                                  • GetLastError.KERNEL32 ref: 047C9B9C
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 047C9BD4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                  • String ID:
                                                  • API String ID: 3587775597-0
                                                  • Opcode ID: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
                                                  • Instruction ID: f57ca5cccfca33b1134c7319d3fdc97279d3597ee7fc871db56ed0d5d10ab1a0
                                                  • Opcode Fuzzy Hash: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
                                                  • Instruction Fuzzy Hash: BE813071109344ABD354EB20D858FEFB7A8FF94708F50492DF592522A1EF70BA45CB92
                                                  Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                  • String ID: <D$<D$<D
                                                  • API String ID: 745075371-3495170934
                                                  • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                  • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                  • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                  • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                  Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B529
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B536
                                                    • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B570
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B583
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                  • String ID:
                                                  • API String ID: 2341273852-0
                                                  • Opcode ID: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                  • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                  • Opcode Fuzzy Hash: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                  • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                  Function 047CB696 Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 047CB6F0
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 047CB722
                                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 047CB790
                                                  • DeleteFileW.KERNEL32(?), ref: 047CB79D
                                                    • Part of subcall function 047CB696: RemoveDirectoryW.KERNEL32(?), ref: 047CB773
                                                  • FindClose.KERNEL32(00000000), ref: 047CB7C8
                                                  • RemoveDirectoryW.KERNEL32(00000000), ref: 047CB7CF
                                                  • GetLastError.KERNEL32 ref: 047CB7D7
                                                  • FindClose.KERNEL32(00000000), ref: 047CB7EA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                  • String ID:
                                                  • API String ID: 2341273852-0
                                                  • Opcode ID: 5c62029e558c151831161c7648b51b3c9b0b43d71b7e0bfa42328357c6cc7f75
                                                  • Instruction ID: 06e13e5ef8511d367a86722dff5c20344f5b5358ca7fe7de7692d0542d44eb8b
                                                  • Opcode Fuzzy Hash: 5c62029e558c151831161c7648b51b3c9b0b43d71b7e0bfa42328357c6cc7f75
                                                  • Instruction Fuzzy Hash: 3F31517284421C9ADB20DBB1AC8DBEA777CAF14305F4409EEF905E2241EB75F684CB24
                                                  Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Find$CreateFirstNext
                                                  • String ID: @CG$XCG$`HG$`HG$>G
                                                  • API String ID: 341183262-3780268858
                                                  • Opcode ID: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                  • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                  • Opcode Fuzzy Hash: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                  • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                  Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                  • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                  • GetLastError.KERNEL32 ref: 00409A1B
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                  • TranslateMessage.USER32(?), ref: 00409A7A
                                                  • DispatchMessageA.USER32(?), ref: 00409A85
                                                  Strings
                                                  • Keylogger initialization failure: error , xrefs: 00409A32
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                  • String ID: Keylogger initialization failure: error
                                                  • API String ID: 3219506041-952744263
                                                  • Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                  • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                  • Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                  • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                  Function 047BB59C Relevance: 12.1, APIs: 8, Instructions: 145fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00465F1C), ref: 047BB61B
                                                  • FindClose.KERNEL32(00000000), ref: 047BB635
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 047BB758
                                                  • FindClose.KERNEL32(00000000), ref: 047BB77E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID:
                                                  • API String ID: 1164774033-0
                                                  • Opcode ID: 5b02bdbcf4a37e1aca2b174e4fdcca7b9d7d4ca2704527aaaf21edbe9df3a355
                                                  • Instruction ID: cdccc781ebd10862e7e86f3590a155fe038e2237df2bf5622747d4a840838b12
                                                  • Opcode Fuzzy Hash: 5b02bdbcf4a37e1aca2b174e4fdcca7b9d7d4ca2704527aaaf21edbe9df3a355
                                                  • Instruction Fuzzy Hash: 8F515031A1520D5EEB14FBB4DC5DFED7738AF10308F5001AAE985A6392EF307A468AD5
                                                  Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                                  • API String ID: 2127411465-314212984
                                                  • Opcode ID: 4bfa0ab92cfe4c7e273a593f9c438f6144fcaff52e32c91ef8c2f101195a9e69
                                                  • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                  • Opcode Fuzzy Hash: 4bfa0ab92cfe4c7e273a593f9c438f6144fcaff52e32c91ef8c2f101195a9e69
                                                  • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                  Function 047C8ED0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 245fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 047C9126
                                                    • Part of subcall function 047CB881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,047B3D5A,00465324), ref: 047CB89A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CreateFindFirst
                                                  • String ID: @CG$XCG$`HG$`HG$>G
                                                  • API String ID: 41799849-3780268858
                                                  • Opcode ID: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                  • Instruction ID: 60163bb8a6588edeb349c516048d22035b28ee8c9678c191cb44de2d24e44168
                                                  • Opcode Fuzzy Hash: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                  • Instruction Fuzzy Hash: 1B814E716052445BE324FB64D8ACBEF73A8AF90344F40496DE5D6433A1EF30BA49C6D2
                                                  Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                    • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                    • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                  • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                  • ExitProcess.KERNEL32 ref: 0040E672
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                  • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                  • API String ID: 2281282204-3981147832
                                                  • Opcode ID: e7420bd81adcf7ecaeb63c441a7eb2a496d40f418d65372005f5d4e07d0bafb2
                                                  • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                  • Opcode Fuzzy Hash: e7420bd81adcf7ecaeb63c441a7eb2a496d40f418d65372005f5d4e07d0bafb2
                                                  • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                  Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                  • GetLastError.KERNEL32 ref: 0040B261
                                                  Strings
                                                  • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                  • UserProfile, xrefs: 0040B227
                                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                  • API String ID: 2018770650-1062637481
                                                  • Opcode ID: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                  • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                  • Opcode Fuzzy Hash: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                  • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                  Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                  • GetLastError.KERNEL32 ref: 00416B02
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 3534403312-3733053543
                                                  • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                  • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                  • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                  • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                  Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                  • API String ID: 4168288129-2761157908
                                                  • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                  • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                                  • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                  • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                                  Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 004089AE
                                                    • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                    • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                    • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                    • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                    • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                    • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                    • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                  • String ID:
                                                  • API String ID: 4043647387-0
                                                  • Opcode ID: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                  • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                  • Opcode Fuzzy Hash: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                  • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                  Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                                  • String ID:
                                                  • API String ID: 276877138-0
                                                  • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                  • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                  • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                  • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                  Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                    • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                    • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                    • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                    • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                  • String ID: PowrProf.dll$SetSuspendState
                                                  • API String ID: 1589313981-1420736420
                                                  • Opcode ID: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                  • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                  • Opcode Fuzzy Hash: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                  • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                  Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                  • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                  • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                  • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                  • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                  Function 0480144A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,04801769,?,00000000), ref: 048014E3
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,04801769,?,00000000), ref: 0480150C
                                                  • GetACP.KERNEL32(?,?,04801769,?,00000000), ref: 04801521
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                  • Instruction ID: 69e13b4d401a9d8d124b83f232219ba7d25a00fa8b0ea67bbec28c46d4ae3a3d
                                                  • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                  • Instruction Fuzzy Hash: 6521DE32720504AAD7B08F54CD08AA773A7EB45B34B46CE64E80ADB2A0F733F941C390
                                                  Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                  • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                  • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                  • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID: SETTINGS
                                                  • API String ID: 3473537107-594951305
                                                  • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                  • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                  • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                  • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                  Function 047B900E Relevance: 7.7, APIs: 5, Instructions: 216fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 047B9013
                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 047B908B
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 047B90B4
                                                  • FindClose.KERNEL32(?), ref: 047B90CB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                  • String ID:
                                                  • API String ID: 1157919129-0
                                                  • Opcode ID: cae9dc3e290e62eb3ac1bcabecde37f344aa65a3c2dada11a4f4a429893bb3a7
                                                  • Instruction ID: 3641e3f281f0afa7a5fde24e94706063534b5154fc1dda771a23a6bcd0871970
                                                  • Opcode Fuzzy Hash: cae9dc3e290e62eb3ac1bcabecde37f344aa65a3c2dada11a4f4a429893bb3a7
                                                  • Instruction Fuzzy Hash: B28166B29001189BDB15FBA4DC98FED7778AF14314F1041AAE696A72A1EF307B45CBD0
                                                  Function 0480161E Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047F7126: GetLastError.KERNEL32(?,047EE4C7,047E9583,047EE4C7,00475B70,?,047EBBBC,FF8BC35D,00475B70,00473EE8), ref: 047F712A
                                                    • Part of subcall function 047F7126: _free.LIBCMT ref: 047F715D
                                                    • Part of subcall function 047F7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F719E
                                                    • Part of subcall function 047F7126: _abort.LIBCMT ref: 047F71A4
                                                    • Part of subcall function 047F7126: _free.LIBCMT ref: 047F7185
                                                    • Part of subcall function 047F7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F7192
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0480172A
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 04801785
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 04801794
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,047F3F53,00000040,?,047F4073,00000055,00000000,?,?,00000055,00000000), ref: 048017DC
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,047F3FD3,00000040), ref: 048017FB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                  • String ID:
                                                  • API String ID: 745075371-0
                                                  • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                  • Instruction ID: 1bf7fa3544c8e665da00585bdf3bacdf8212ec0ba57f63d5e33a3476c087e70d
                                                  • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                  • Instruction Fuzzy Hash: 6051B571A10209AFEB50DFA4CC48ABE77B8AF04715F048A75E915DB1D0EB71EA40CB61
                                                  Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00407A91
                                                  • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                  • String ID:
                                                  • API String ID: 1157919129-0
                                                  • Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                  • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                  • Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                  • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                  Function 047B7CF3 Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 047B7CF8
                                                  • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 047B7DB1
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 047B7DD5
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 047B7EDD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                  • String ID:
                                                  • API String ID: 1157919129-0
                                                  • Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                  • Instruction ID: 845bca35fb2d7f13e952d03fb54f1ebe30c4f406d541a6dca9e22b16980333fd
                                                  • Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                  • Instruction Fuzzy Hash: 0E517F729011089BDF08FBA4DD5DBED7778AF40308F904559A886A32A1EF34BB49CBC1
                                                  Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                  • _free.LIBCMT ref: 00448067
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 00448233
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                  • String ID:
                                                  • API String ID: 1286116820-0
                                                  • Opcode ID: dcc2863490a940a86c2d18677f29901eef68eb4bdc32c7b5b3d8756236cda4bd
                                                  • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                  • Opcode Fuzzy Hash: dcc2863490a940a86c2d18677f29901eef68eb4bdc32c7b5b3d8756236cda4bd
                                                  • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                  Function 047C6D1E Relevance: 7.5, APIs: 5, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 047C6D2B
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 047C6D32
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,0046BA18,?), ref: 047C6D44
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 047C6D63
                                                  • GetLastError.KERNEL32 ref: 047C6D69
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 3534403312-0
                                                  • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                  • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                  • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                  • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                  Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DownloadExecuteFileShell
                                                  • String ID: C:\Users\user\Desktop\advancePayment-pdf.exe$open
                                                  • API String ID: 2825088817-2215106687
                                                  • Opcode ID: d856352b29c500f65ac61f264686a0ac45c8e93dcc938b66659ffa0f0ca1f413
                                                  • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                  • Opcode Fuzzy Hash: d856352b29c500f65ac61f264686a0ac45c8e93dcc938b66659ffa0f0ca1f413
                                                  • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                  Function 047BE7B6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047C271E: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 047C273E
                                                    • Part of subcall function 047C271E: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 047C275C
                                                    • Part of subcall function 047C271E: RegCloseKey.ADVAPI32(00000000), ref: 047C2767
                                                  • Sleep.KERNEL32(00000BB8), ref: 047BE86A
                                                  • ExitProcess.KERNEL32 ref: 047BE8D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                  • String ID: pth_unenc$BG
                                                  • API String ID: 2281282204-2233081382
                                                  • Opcode ID: 893b02ec2893ac076e1b48ec4804a82b241512304dbf54cdddd5c3cf734e141d
                                                  • Instruction ID: 2c2f1079d9164dce0a0ee5923af7a877c3bc18442c802c28d36f000e0df50c02
                                                  • Opcode Fuzzy Hash: 893b02ec2893ac076e1b48ec4804a82b241512304dbf54cdddd5c3cf734e141d
                                                  • Instruction Fuzzy Hash: F4213621F0020027F6087679984EBEE31899B84709F54446CF895A73DBFE66BA0083E7
                                                  Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$FirstNextsend
                                                  • String ID: x@G$x@G
                                                  • API String ID: 4113138495-3390264752
                                                  • Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                  • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                  • Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                  • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                  Function 047B6D29 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 047B6D44
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 047B6E0C
                                                    • Part of subcall function 047B46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 047B4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$FirstNextsend
                                                  • String ID: x@G$x@G
                                                  • API String ID: 4113138495-3390264752
                                                  • Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                  • Instruction ID: 1271cea5adb9865eb76357a138ba7e2cf1d4d8e437c086e57d2b1f397eb63f8f
                                                  • Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                  • Instruction Fuzzy Hash: 83214D311052449BD614FB64DC9CAEF77A8AF84358F400969E6D692391EF34BA098AD2
                                                  Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                    • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                    • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                    • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                  • API String ID: 4127273184-3576401099
                                                  • Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                  • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                  • Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                  • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                  Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                  • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                  • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                  • String ID:
                                                  • API String ID: 4212172061-0
                                                  • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                  • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                  • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                  • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                  Function 04800CE6 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047F7126: GetLastError.KERNEL32(?,047EE4C7,047E9583,047EE4C7,00475B70,?,047EBBBC,FF8BC35D,00475B70,00473EE8), ref: 047F712A
                                                    • Part of subcall function 047F7126: _free.LIBCMT ref: 047F715D
                                                    • Part of subcall function 047F7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F719E
                                                    • Part of subcall function 047F7126: _abort.LIBCMT ref: 047F71A4
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,047F3F5A,?,?,?,?,047F39B1,?,00000004), ref: 04800DC8
                                                  • _wcschr.LIBVCRUNTIME ref: 04800E58
                                                  • _wcschr.LIBVCRUNTIME ref: 04800E66
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,047F3F5A,00000000,047F407A), ref: 04800F09
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                  • String ID:
                                                  • API String ID: 4212172061-0
                                                  • Opcode ID: 2f1efdd49f250f153a7c8dca19099ac794f5d0f52f96597e3c8d2ebbc38e997e
                                                  • Instruction ID: e6fcfa500c4e9c3c9f29a0d10676fe35886d5dfc0b2cfb79c20108f74e99ea6c
                                                  • Opcode Fuzzy Hash: 2f1efdd49f250f153a7c8dca19099ac794f5d0f52f96597e3c8d2ebbc38e997e
                                                  • Instruction Fuzzy Hash: 5361F931A20205AAE764AF74EC45BB673A8EF46314F148B6AE909DB1C0EB74F940C761
                                                  Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00408DAC
                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$FirstH_prologNext
                                                  • String ID:
                                                  • API String ID: 301083792-0
                                                  • Opcode ID: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                  • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                  • Opcode Fuzzy Hash: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                  • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                  Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                  • String ID:
                                                  • API String ID: 2829624132-0
                                                  • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                  • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                  • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                  • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                  Function 047C5B1C Relevance: 4.6, APIs: 3, Instructions: 98libraryloadershutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 047C5BC2
                                                  • LoadLibraryA.KERNEL32(0046B9C0,0046B9B0), ref: 047C5BD7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 047C5BDE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressExitLibraryLoadProcWindows
                                                  • String ID:
                                                  • API String ID: 1366546845-0
                                                  • Opcode ID: 0a607b4a7b5ecc12f789a4cc2078a46f2f116dcd92e244ce5a1d878263211a66
                                                  • Instruction ID: 5e42800161e4633ac2e5290c668dbba22aea8010d2dfc668ac0d8b20714bc0b7
                                                  • Opcode Fuzzy Hash: 0a607b4a7b5ecc12f789a4cc2078a46f2f116dcd92e244ce5a1d878263211a66
                                                  • Instruction Fuzzy Hash: C2215270605701AEEB14BBB088ACBFE2399DB403C8F404C6DA58297781EF65B946D796
                                                  Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A755
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A75F
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A76C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                  • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                  • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                  • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                  Function 047EA8C4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 047EA9BC
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 047EA9C6
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 047EA9D3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                  • Instruction ID: d4b9bc21b01dfa19a3ea4eec216e20a2ca4f4718c08341d19e245e220428b80e
                                                  • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                  • Instruction Fuzzy Hash: 8231B3759012199BCB21DF69D98879CBBB8AF08310F5042EAE80CA7250EB70AB818F44
                                                  Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                  • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                  • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                  • String ID:
                                                  • API String ID: 1815803762-0
                                                  • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                  • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                  • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                  • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                  Function 047E2BA1 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00471B2C,00000000,047E282C,00000034,00471B2C,?,?), ref: 047E2BB3
                                                  • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,047E28BE,00000000,?,00000000), ref: 047E2BC9
                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,047E28BE,00000000,?,00000000,047CD9C7), ref: 047E2BDB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                  • String ID:
                                                  • API String ID: 1815803762-0
                                                  • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                  • Instruction ID: c052cc60ae4bcaaa9ac858d6173fc10779104c5a92764b403ed9c0511c4aeac0
                                                  • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                  • Instruction Fuzzy Hash: 64E0923130C310BBEB310F16BC08F773A98DB89B71F600778F251E41E5E26194409518
                                                  Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                                  • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                                  • ExitProcess.KERNEL32 ref: 0044258E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                  • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                  • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                  • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                  Function 047F27BB Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000000,?,047F2791,00000000,0046DAE0,0000000C,047F28E8,00000000,00000002,00000000), ref: 047F27DC
                                                  • TerminateProcess.KERNEL32(00000000,?,047F2791,00000000,0046DAE0,0000000C,047F28E8,00000000,00000002,00000000), ref: 047F27E3
                                                  • ExitProcess.KERNEL32 ref: 047F27F5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                  • Instruction ID: 2d3effbe6602f0b9011a85f16fe95b220a4c1f3646004f0e401a3c881d62a5b0
                                                  • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                  • Instruction Fuzzy Hash: 9CE0B636004A08EFCF116F55ED48A893B6DEB40246F0040B4FA098A732CB36E982CAA4
                                                  Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                                  • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                                  • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpenSuspend
                                                  • String ID:
                                                  • API String ID: 1999457699-0
                                                  • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                  • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                                  • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                  • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                                  Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                                  • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                                  • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpenResume
                                                  • String ID:
                                                  • API String ID: 3614150671-0
                                                  • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                  • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                                  • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                  • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                                  Function 047CAF54 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,047C534F,00000000), ref: 047CAF5F
                                                  • NtResumeProcess.NTDLL(00000000), ref: 047CAF6C
                                                  • CloseHandle.KERNEL32(00000000,?,?,047C534F,00000000), ref: 047CAF75
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpenResume
                                                  • String ID:
                                                  • API String ID: 3614150671-0
                                                  • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                  • Instruction ID: 14424b76bb07edf774ccd125af49680887547b613ee1dc5bba22bded79b332a7
                                                  • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                  • Instruction Fuzzy Hash: 39D09E32508121678221176A7C0D997EDA9DBC6AB3B064279F505D26619A70D84186A4
                                                  Function 047CAF28 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,047C532A,00000000), ref: 047CAF33
                                                  • NtSuspendProcess.NTDLL(00000000), ref: 047CAF40
                                                  • CloseHandle.KERNEL32(00000000,?,?,047C532A,00000000), ref: 047CAF49
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpenSuspend
                                                  • String ID:
                                                  • API String ID: 1999457699-0
                                                  • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                  • Instruction ID: 278ab0dc3566d87c3c5d0b3e83c62475249ccf2defcd6b11705e3c8a5f434e45
                                                  • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                  • Instruction Fuzzy Hash: 6AD0A733508131638221176A7C0CD87EE6CDFC1EB37024179F408C3220DA30C84186F4
                                                  Function 047B092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .$GetProcAddress.$l
                                                  • API String ID: 0-2784972518
                                                  • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                  • Instruction ID: 68b527d62be2facf94e585eee2b983f4c20639e67556b7609fd11bb1688a1b62
                                                  • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                  • Instruction Fuzzy Hash: 523135B6900649DFEB10CF99C884BEEBBF9FB48324F14414AD981A7350D771AA45CBA4
                                                  Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .
                                                  • API String ID: 0-248832578
                                                  • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                  • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                  • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                  • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                  Function 047FD850 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .
                                                  • API String ID: 0-248832578
                                                  • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                  • Instruction ID: cc4fc3cb68e1191d9c08702878e60e34106f90a8f4652f6cabaa2bd9f819c7d9
                                                  • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                  • Instruction Fuzzy Hash: E731E771900249AFDB34DE79CC88EFA7BBDDF85314F0442A8EA5A97351E630AA448B50
                                                  Function 047CBDDE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 047CBED3
                                                    • Part of subcall function 047C2939: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 047C2948
                                                    • Part of subcall function 047C2939: RegSetValueExA.ADVAPI32(004655B0,0046BE08,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,047CBEAD,0046BE08,004655B0,00000001,00473EE8,00000000), ref: 047C2970
                                                    • Part of subcall function 047C2939: RegCloseKey.ADVAPI32(004655B0,?,?,047CBEAD,0046BE08,004655B0,00000001,00473EE8,00000000,?,047B7C44,00000001), ref: 047C297B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                  • String ID: Control Panel\Desktop
                                                  • API String ID: 4127273184-27424756
                                                  • Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                  • Instruction ID: 100cc5854a1dff74c9faa316e76a20972a0bbab058c97bca665fd2776dcadcf1
                                                  • Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                  • Instruction Fuzzy Hash: D8118122F8021072E518307A5D1FBAE2806D356F50F90015EFB027E7DAFACB6A9003DB
                                                  Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID: <D
                                                  • API String ID: 1084509184-3866323178
                                                  • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                  • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                  • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                  • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                  Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID: <D
                                                  • API String ID: 1084509184-3866323178
                                                  • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                  • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                  • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                  • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                  Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: GetLocaleInfoEx
                                                  • API String ID: 2299586839-2904428671
                                                  • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                  • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                  • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                  • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                  Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                  • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                                  • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                  • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                                  Function 047F1087 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f628971186b7869ff55a994468a376647b4631b563bdc3b7b4e6f267e50c07e
                                                  • Instruction ID: dcb3a781a6696df36350fadbbe37b9b1ccb2f81649383ff2a1bec42fef8b5cdd
                                                  • Opcode Fuzzy Hash: 6f628971186b7869ff55a994468a376647b4631b563bdc3b7b4e6f267e50c07e
                                                  • Instruction Fuzzy Hash: 80021C71E00219DBDF14CFA9C9806ADBBF1EF88324F558269D919EB385D731AD41CB90
                                                  Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                  • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Name$ComputerUser
                                                  • String ID:
                                                  • API String ID: 4229901323-0
                                                  • Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                  • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                  • Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                  • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                  Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                  • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                                  • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                  • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                                  Function 04802339 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,04802334,?,?,00000008,?,?,04805679,00000000), ref: 04802566
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                  • Instruction ID: a29ce51818fd3d172927fb52927790ef56422c137cc287cdc3a9eb7fefeb9336
                                                  • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                  • Instruction Fuzzy Hash: 74B15E312206089FD755CF28C89AB657BE0FF05364F25CA98E89ACF2E1C375E991CB40
                                                  Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                  • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                                  • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                  • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                                  Function 047E2CB0 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                  • Instruction ID: 5f310ca2350a474e59f8a5524f378418972044da433be4dfd337ae31d1f9db0c
                                                  • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                  • Instruction Fuzzy Hash: C402B23270C3045BE714DF29D951A2FB3E6BFCC758F154A2DE485EB381EA74A805CA42
                                                  Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                  • String ID:
                                                  • API String ID: 1663032902-0
                                                  • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                  • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                  • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                  • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                  Function 04801321 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047F7126: GetLastError.KERNEL32(?,047EE4C7,047E9583,047EE4C7,00475B70,?,047EBBBC,FF8BC35D,00475B70,00473EE8), ref: 047F712A
                                                    • Part of subcall function 047F7126: _free.LIBCMT ref: 047F715D
                                                    • Part of subcall function 047F7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F719E
                                                    • Part of subcall function 047F7126: _abort.LIBCMT ref: 047F71A4
                                                    • Part of subcall function 047F7126: _free.LIBCMT ref: 047F7185
                                                    • Part of subcall function 047F7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F7192
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 04801375
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                  • String ID:
                                                  • API String ID: 1663032902-0
                                                  • Opcode ID: a9a0ef56855296d69f28970e91aa7ff08aa6ba5c63fbad7abcadd9e72279b5a0
                                                  • Instruction ID: 415fa4acc02951f532f782aacc061df07b68ac38024eb34506e0bd0f3d1d27c2
                                                  • Opcode Fuzzy Hash: a9a0ef56855296d69f28970e91aa7ff08aa6ba5c63fbad7abcadd9e72279b5a0
                                                  • Instruction Fuzzy Hash: 3A21B6715202069BEB649F1DEC49FB673A8EF44324F01867AED01C69C0EBBAF944C751
                                                  Function 04800FA9 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047F7126: GetLastError.KERNEL32(?,047EE4C7,047E9583,047EE4C7,00475B70,?,047EBBBC,FF8BC35D,00475B70,00473EE8), ref: 047F712A
                                                    • Part of subcall function 047F7126: _free.LIBCMT ref: 047F715D
                                                    • Part of subcall function 047F7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F719E
                                                    • Part of subcall function 047F7126: _abort.LIBCMT ref: 047F71A4
                                                  • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,047F3F53,?,048016FE,00000000,?,?,?), ref: 0480101B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                  • Instruction ID: a5d620294d78f045d9e27c5258a5a603cf9111bd136a370cdac81a07e5c4b3a3
                                                  • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                  • Instruction Fuzzy Hash: 301129366103019FEB18AF39DC9567AB792FF80368B14892DE98687B80D775B543CB40
                                                  Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                  • String ID:
                                                  • API String ID: 2692324296-0
                                                  • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                  • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                  • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                  • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                  Function 04801551 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047F7126: GetLastError.KERNEL32(?,047EE4C7,047E9583,047EE4C7,00475B70,?,047EBBBC,FF8BC35D,00475B70,00473EE8), ref: 047F712A
                                                    • Part of subcall function 047F7126: _free.LIBCMT ref: 047F715D
                                                    • Part of subcall function 047F7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F719E
                                                    • Part of subcall function 047F7126: _abort.LIBCMT ref: 047F71A4
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,048012EF,00000000,00000000,?), ref: 0480157D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                  • String ID:
                                                  • API String ID: 2692324296-0
                                                  • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                  • Instruction ID: feb9170afa779bd92dddc8a96d1dd3e16ad7bc9f9de0e52342d7cba777f0f3f2
                                                  • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                  • Instruction Fuzzy Hash: 4FF0FE32610115ABDB245E148C4DABA7768EB40334F044B69EC06E71C0EA71FD41C6D0
                                                  Function 04801044 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047F7126: GetLastError.KERNEL32(?,047EE4C7,047E9583,047EE4C7,00475B70,?,047EBBBC,FF8BC35D,00475B70,00473EE8), ref: 047F712A
                                                    • Part of subcall function 047F7126: _free.LIBCMT ref: 047F715D
                                                    • Part of subcall function 047F7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F719E
                                                    • Part of subcall function 047F7126: _abort.LIBCMT ref: 047F71A4
                                                  • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,047F3F53,?,048016C2,047F3F53,?,?,?,?,?,047F3F53,?,?), ref: 04801090
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                  • Instruction ID: 210ea27e1c16d3618ae2d48e5e46e64207513254441b1025aaff65f159a39f7c
                                                  • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                  • Instruction Fuzzy Hash: F8F022323003045FEB246F399C88A6A7B91EF80368B05892CFA818B680D6B2A8028640
                                                  Function 047F77FE Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,047F39B1,?,00000004), ref: 047F7851
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                  • Instruction ID: 3f333e6541bfb4638e021b0910192e488058038417ee096cc8453baeb9eb2c08
                                                  • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                  • Instruction Fuzzy Hash: 49F02431A44308BBDB156F64DC0AF7E7F26EF08B22F00017AFD0526351CB71AA1096DA
                                                  Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00444ACC: RtlEnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                  • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                  • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                  • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                  • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                  Function 047F7315 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047F4D33: RtlEnterCriticalSection.NTDLL(?), ref: 047F4D42
                                                  • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 047F734D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                  • Instruction ID: 74f8aa7f4808ca7a6cea3d596a06e9d2c0107be49efd66a3f31497b108c8514b
                                                  • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                  • Instruction Fuzzy Hash: D6F04932A20204EFEB04EF68EC09B5D37B0EB49325F108166F514DB3A1CB7499808B59
                                                  Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                  • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                  • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                  • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                  Function 04800F5E Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047F7126: GetLastError.KERNEL32(?,047EE4C7,047E9583,047EE4C7,00475B70,?,047EBBBC,FF8BC35D,00475B70,00473EE8), ref: 047F712A
                                                    • Part of subcall function 047F7126: _free.LIBCMT ref: 047F715D
                                                    • Part of subcall function 047F7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F719E
                                                    • Part of subcall function 047F7126: _abort.LIBCMT ref: 047F71A4
                                                  • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,04801720,047F3F53,?,?,?,?,?,047F3F53,?,?,?), ref: 04800F95
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                  • Instruction ID: f6b53362549b75ceb02ff412dfa12600bcc46b9b7fca8019ecc7dce5af84244d
                                                  • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                  • Instruction Fuzzy Hash: CDF0E53A30020557DB199F35EC45B6A7F94EFC3715B0680A9FE09CB6D1C675A842D750
                                                  Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                  • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                  • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                  • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                  Function 047BE8E0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,047C4814,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,0046673C), ref: 047BE8F4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                  • Instruction ID: 2d2734de79e2360af001afcdb0e159fb11aa82787ea1e913dd321053deff77b2
                                                  • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                  • Instruction Fuzzy Hash: 90D09E657452187BEA1496959C0EF9B7A9CE741B96F000165BA01D72C1E9A0AE048AE1
                                                  Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: recv
                                                  • String ID:
                                                  • API String ID: 1507349165-0
                                                  • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                  • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                  • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                  • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                  Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                  • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                  • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                  • Instruction Fuzzy Hash:
                                                  Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: BG3i@
                                                  • API String ID: 0-2407888476
                                                  • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                  • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                                  • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                  • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                                  Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                  • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                  • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                                  Function 047ECC44 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                  • Instruction ID: 1ee52d7324e7d6864af0a99ebc1badc4c9d64d9eb945b43eced0bd81fd5afd96
                                                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                  • Instruction Fuzzy Hash: 3951797D3006445EEB37CA7F84597BE2B999B4D348F080B4AD887CB3A1E202F509A352
                                                  Function 047ECE73 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                  • Instruction ID: caa5ffd8969f2165ac47d8bb2191013b6f4de43ede8e9d30143dff901bfac869
                                                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                  • Instruction Fuzzy Hash: 1F515B6B7007855EEF36897F8558BBF6B999B0E344F080F0AD843CB381D625F6468396
                                                  Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                  • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                                  • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                  • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                                  Function 047D70DA Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                  • Instruction ID: b177400fb12319f5c68208b62abff5d27319fa8a316ba05a15658bbd4a00778c
                                                  • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                  • Instruction Fuzzy Hash: D04125759287058BC318CE29C58061BFBF1FBC8354F548A1EF99693350E676A980CB82
                                                  Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HeapProcess
                                                  • String ID:
                                                  • API String ID: 54951025-0
                                                  • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                  • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                  • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                  • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                  Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                  • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                                  • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                  • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                                  Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                  • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                                  • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                  • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                  Function 047CE846 Relevance: .6, Instructions: 606COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a18e7bb7c2c42d1902aff7cdab2f32fbef15b0e2cf6e19f50b6dfc23c9c72e89
                                                  • Instruction ID: cc12f5a963146e816b287db682393bb272f671074e2e084cfff6f0a0cf7ff3f3
                                                  • Opcode Fuzzy Hash: a18e7bb7c2c42d1902aff7cdab2f32fbef15b0e2cf6e19f50b6dfc23c9c72e89
                                                  • Instruction Fuzzy Hash: 5832C0716087469FD729DF28C48076AB7E6BF84308F044A2DF8A58B381E775F945CB86
                                                  Function 004267CB Relevance: .4, Instructions: 437COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                  • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                                  • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                  • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                                  Function 047D6A32 Relevance: .4, Instructions: 437COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                  • Instruction ID: f2e6796a0bb367c21f2f08746aedcd8146ba8f2b1e8276894eb5d18a6ce71e33
                                                  • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                  • Instruction Fuzzy Hash: E3028F717146518FD328CF2EE880536B7E1AF8E3017468A3EE585C7391EB34E926CB95
                                                  Function 00426254 Relevance: .4, Instructions: 377COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                  • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                                  • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                  • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                                  Function 047D64BB Relevance: .4, Instructions: 377COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae54c0c007aacb93a7dd55fc151a9a0813301b4ecfdd70e7c81fd1d8629b8821
                                                  • Instruction ID: 751d3fced8b826d9fbad3bf00a562cd644bd940b967ed8be3754296c1c485c33
                                                  • Opcode Fuzzy Hash: ae54c0c007aacb93a7dd55fc151a9a0813301b4ecfdd70e7c81fd1d8629b8821
                                                  • Instruction Fuzzy Hash: 41F14C716142548FD314DF1DE89187BB3E0EB8A305B460A2EF1C2D7391DB74EA1ACB66
                                                  Function 00431377 Relevance: .4, Instructions: 371COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                  • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                                  • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                  • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                                  Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                  • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                                  • Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                  • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                                  Function 047CD2D8 Relevance: .3, Instructions: 276COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                  • Instruction ID: 408749e8acfd9238ff06dfbeb898cc701e09162afea1de1bfa8cafc32a9f2658
                                                  • Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                  • Instruction Fuzzy Hash: E4B1803911429A8ACB11EF68C4913F63BA1EF6A300F0850B9EC9CCF756E2359506EB64
                                                  Function 00436A8D Relevance: .3, Instructions: 254COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                  • Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
                                                  • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                  • Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624
                                                  Function 00436D48 Relevance: .2, Instructions: 244COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                  • Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
                                                  • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                  • Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624
                                                  Function 004367C6 Relevance: .2, Instructions: 240COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                  • Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
                                                  • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                  • Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624
                                                  Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                  • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                                  • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                  • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                                  Function 047ED0A2 Relevance: .2, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                  • Instruction ID: b8a2657a76e00c333703ff5c184946738a32c91f68d25b6867ac62bdf70a62ff
                                                  • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                  • Instruction Fuzzy Hash: CA618D7130070B67FB38996B5A95BBE23989F4D348F140B19D843CF3D1E523F9428209
                                                  Function 047ED2FF Relevance: .2, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                  • Instruction ID: 99266a0e411d34a1e3ddd937aa098547fd8a735d929336b004760d1e13b0f895
                                                  • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                  • Instruction Fuzzy Hash: B461397130070BD6EB349AABC859BBE2395EB5E744F04071AEC43DB3D0E659F942C296
                                                  Function 0043651C Relevance: .2, Instructions: 232COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                  • Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
                                                  • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                  • Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624
                                                  Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                  • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                  • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                                  Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                  • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                                  • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                  • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                                  Function 047D7214 Relevance: .2, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                  • Instruction ID: aeb2f78e334eef29dd045747942a415cfd05d46736f89d4a65238e1771a5843e
                                                  • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                  • Instruction Fuzzy Hash: 06614C329083459FD308DF75D585A5BB7F8AFDC718F440E2EF4999A250E730EA088B82
                                                  Function 00437150 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                                  Function 047E73B7 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction ID: 355e0ed35119c43a179a23d35717c9c8272330c7754940555ad3cd60d24e28d1
                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction Fuzzy Hash: 6711E77730018243DA5DCA2FD8B46BBAB95EBCF320B3D477AD5418B758D222B155A640
                                                  Function 02CD9EAB Relevance: .1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2301934227.0000000002CD9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CD9000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2cd9000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                  • Instruction ID: 273d79f2a2b72c341bf8afd099945a540c8073a2e29c1865140ac7b7b480bcf2
                                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                  • Instruction Fuzzy Hash: BB118E76340100AFDB44DF65DCC0FA773EAEB88260B1980A5EE09CB716D776E802CB60
                                                  Function 047B0D90 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                  • Instruction ID: be938e2083541669a46cc65b53bf9cc27454fd57eea89a01047e0017b08da5ba
                                                  • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                  • Instruction Fuzzy Hash: E301F272A006408FDF21DF24CC05BEB33E5FB86206F0544A4E94A9B382E770B8418BC0
                                                  Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                    • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                  • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                  • DeleteDC.GDI32(?), ref: 0041805D
                                                  • DeleteDC.GDI32(00000000), ref: 00418060
                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                  • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                  • GetCursorInfo.USER32(?), ref: 004180B5
                                                  • GetIconInfo.USER32(?,?), ref: 004180CB
                                                  • DeleteObject.GDI32(?), ref: 004180FA
                                                  • DeleteObject.GDI32(?), ref: 00418107
                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                  • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                  • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                  • DeleteDC.GDI32(?), ref: 0041827F
                                                  • DeleteDC.GDI32(00000000), ref: 00418282
                                                  • DeleteObject.GDI32(00000000), ref: 00418285
                                                  • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                  • DeleteObject.GDI32(00000000), ref: 00418344
                                                  • GlobalFree.KERNEL32(?), ref: 0041834B
                                                  • DeleteDC.GDI32(?), ref: 0041835B
                                                  • DeleteDC.GDI32(00000000), ref: 00418366
                                                  • DeleteDC.GDI32(?), ref: 00418398
                                                  • DeleteDC.GDI32(00000000), ref: 0041839B
                                                  • DeleteObject.GDI32(?), ref: 004183A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                  • String ID: DISPLAY
                                                  • API String ID: 1352755160-865373369
                                                  • Opcode ID: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                  • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                  • Opcode Fuzzy Hash: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                  • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                  Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                  • ResumeThread.KERNEL32(?), ref: 00417582
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                  • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                  • GetLastError.KERNEL32 ref: 004175C7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                  • API String ID: 4188446516-3035715614
                                                  • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                  • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                  • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                  • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                  Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                  • ExitProcess.KERNEL32 ref: 0041151D
                                                    • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                    • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                    • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                  • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                    • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                  • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                  • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                    • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                    • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                    • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                  • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                    • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                  • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                  • API String ID: 4250697656-2665858469
                                                  • Opcode ID: b68df8224523070e2f82cd34dc7b2adce00a37accb578c29d62ccc5e9000c55b
                                                  • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                  • Opcode Fuzzy Hash: b68df8224523070e2f82cd34dc7b2adce00a37accb578c29d62ccc5e9000c55b
                                                  • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                  Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                    • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                    • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                  • ExitProcess.KERNEL32 ref: 0040C63E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                  • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                  • API String ID: 1861856835-3168347843
                                                  • Opcode ID: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                                  • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                  • Opcode Fuzzy Hash: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                                  • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                  Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                    • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                    • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                  • ExitProcess.KERNEL32 ref: 0040C287
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                  • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                  • API String ID: 3797177996-1998216422
                                                  • Opcode ID: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                                  • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                  • Opcode Fuzzy Hash: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                                  • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                  Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                  • SetEvent.KERNEL32 ref: 0041A38A
                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                  • CloseHandle.KERNEL32 ref: 0041A3AB
                                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                  • API String ID: 738084811-1408154895
                                                  • Opcode ID: 67a24f6113aabf6128109dc61cf26ab2441941a35e225fe1c9d441213504bd5b
                                                  • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                  • Opcode Fuzzy Hash: 67a24f6113aabf6128109dc61cf26ab2441941a35e225fe1c9d441213504bd5b
                                                  • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                  Function 047C151C Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 189synchronizationsleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 047C153B
                                                  • ExitProcess.KERNEL32 ref: 047C1784
                                                    • Part of subcall function 047C28C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 047C28E0
                                                    • Part of subcall function 047C28C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 047C28F9
                                                    • Part of subcall function 047C28C4: RegCloseKey.ADVAPI32(?), ref: 047C2904
                                                    • Part of subcall function 047CB881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,047B3D5A,00465324), ref: 047CB89A
                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 047C15C2
                                                  • OpenProcess.KERNEL32(00100000,00000000,047BE3BB,?,?,?,?,00000000), ref: 047C15D1
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 047C15DC
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 047C15E3
                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 047C15E9
                                                    • Part of subcall function 047C2A3C: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 047C2A4A
                                                    • Part of subcall function 047C2A3C: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,047BBBB3,004660E0,00000001,000000AF,00465554), ref: 047C2A65
                                                    • Part of subcall function 047C2A3C: RegCloseKey.ADVAPI32(?,?,?,?,047BBBB3,004660E0,00000001,000000AF,00465554), ref: 047C2A70
                                                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 047C161A
                                                  • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 047C1676
                                                  • GetTempFileNameW.KERNEL32(?,0046B7CC,00000000,?,?,?,?,?,?,?,?,00000000), ref: 047C1690
                                                  • lstrcatW.KERNEL32(?,0046B7D8,?,?,?,?,?,?,?,00000000), ref: 047C16A2
                                                    • Part of subcall function 047CB7F6: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,047CB90C,00000000,00000000,?,?,047BA270), ref: 047CB852
                                                    • Part of subcall function 047CB7F6: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,047CB90C,00000000,00000000,?,?,047BA270), ref: 047CB866
                                                    • Part of subcall function 047CB7F6: CloseHandle.KERNEL32(00000000,?,00000000,047CB90C,00000000,00000000,?,?,047BA270), ref: 047CB873
                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 047C172B
                                                  • OpenProcess.KERNEL32(00100000,00000000,047BE3BB,?,?,?,?,00000000), ref: 047C1740
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 047C174B
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 047C1752
                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 047C1758
                                                    • Part of subcall function 047CB7F6: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,047CB90C,00000000,00000000,?), ref: 047CB835
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExistsExitMutexNamePointerQuerySleepWritelstrcat
                                                  • String ID: 0DG$@CG$WDH$exepath
                                                  • API String ID: 1212092484-1464086911
                                                  • Opcode ID: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                  • Instruction ID: 03768bcecf9ab79865006f904b9715a6e6a49249c660ba86b727438510c1bc13
                                                  • Opcode Fuzzy Hash: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                  • Instruction Fuzzy Hash: 3651C071A443056BEB10ABA0AC8CFFE336DDB04355F5041B9F901A7392EF74AE418B98
                                                  Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                  • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                  • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                  • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Write$Create
                                                  • String ID: RIFF$WAVE$data$fmt
                                                  • API String ID: 1602526932-4212202414
                                                  • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                  • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                  • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                  • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                  Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\advancePayment-pdf.exe,00000001,004068B2,C:\Users\user\Desktop\advancePayment-pdf.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: C:\Users\user\Desktop\advancePayment-pdf.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                  • API String ID: 1646373207-3573051999
                                                  • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                  • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                  • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                  • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                  Function 047C8206 Relevance: 31.8, APIs: 21, Instructions: 324windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDCA.GDI32(0046BAC8,00000000,00000000,00000000), ref: 047C8220
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 047C822B
                                                    • Part of subcall function 047C86B9: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 047C86E9
                                                  • CreateCompatibleBitmap.GDI32(?,00000000), ref: 047C82AC
                                                  • SelectObject.GDI32(00000000,00000000), ref: 047C82D2
                                                  • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 047C82FA
                                                  • GetCursorInfo.USER32(?), ref: 047C831C
                                                  • GetIconInfo.USER32(?,?), ref: 047C8332
                                                  • DeleteObject.GDI32(?), ref: 047C8361
                                                  • DeleteObject.GDI32(?), ref: 047C836E
                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 047C837B
                                                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00471DE4,00000000,00000000,00660046), ref: 047C83AB
                                                  • GetObjectA.GDI32(?,00000018,?), ref: 047C83DA
                                                  • LocalAlloc.KERNEL32(00000040,00000028), ref: 047C8423
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 047C8446
                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 047C84AF
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 047C84D2
                                                  • DeleteObject.GDI32(00000000), ref: 047C84EC
                                                  • GlobalFree.KERNEL32(00CC0020), ref: 047C84F7
                                                  • DeleteObject.GDI32(00000000), ref: 047C85AB
                                                  • GlobalFree.KERNEL32(?), ref: 047C85B2
                                                  • DeleteObject.GDI32(?), ref: 047C8608
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object$Delete$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                  • String ID:
                                                  • API String ID: 615876539-0
                                                  • Opcode ID: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                  • Instruction ID: 38fa30b778f6ec47a2f967b698768a55124d9825d827c522cb38508b6825edee
                                                  • Opcode Fuzzy Hash: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                  • Instruction Fuzzy Hash: 29C15C315083449FD320AF65DC48B6BBBE9EF84742F05492DF989972A1EB30E904CB96
                                                  Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                  • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                  • lstrlenW.KERNEL32(?), ref: 0041B207
                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                  • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                  • _wcslen.LIBCMT ref: 0041B2DB
                                                  • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                  • GetLastError.KERNEL32 ref: 0041B313
                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                  • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                  • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                  • GetLastError.KERNEL32 ref: 0041B370
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                  • String ID: ?
                                                  • API String ID: 3941738427-1684325040
                                                  • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                  • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                  • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                  • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                  Function 047CB422 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?), ref: 047CB43D
                                                  • _memcmp.LIBVCRUNTIME ref: 047CB455
                                                  • lstrlenW.KERNEL32(?), ref: 047CB46E
                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 047CB4A9
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 047CB4BC
                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 047CB500
                                                  • lstrcmpW.KERNEL32(?,?), ref: 047CB51B
                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 047CB533
                                                  • _wcslen.LIBCMT ref: 047CB542
                                                  • FindVolumeClose.KERNEL32(?), ref: 047CB562
                                                  • GetLastError.KERNEL32 ref: 047CB57A
                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 047CB5A7
                                                  • lstrcatW.KERNEL32(?,?), ref: 047CB5C0
                                                  • lstrcpyW.KERNEL32(?,?), ref: 047CB5CF
                                                  • GetLastError.KERNEL32 ref: 047CB5D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                  • String ID: ?
                                                  • API String ID: 3941738427-1684325040
                                                  • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                  • Instruction ID: e65831f2c9939a74e734ff8cecc5549b964a4d5294411815e8186f3a979cdcaa
                                                  • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                  • Instruction Fuzzy Hash: 08417071608705ABD720DFA4FC89AAB77ECAB48715F00093EF541D2261EB74E648CBD2
                                                  Function 047FE475 Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                                                  • String ID:
                                                  • API String ID: 2719235668-0
                                                  • Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                  • Instruction ID: 25d8bb5bdf9719ca3ea40a3e79b0e81c9a7c43c20db9c7bd0514ea1ea79024e4
                                                  • Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                  • Instruction Fuzzy Hash: 69D11A71900705BFEB25AF789C84A6E7BA9AF01324F04417DEB45A73A0F632B941CB91
                                                  Function 047C74AC Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 290threadinjectionprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 047C75D3
                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 047C75EB
                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 047C7601
                                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 047C7627
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 047C76A7
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 047C76BB
                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 047C76F2
                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 047C77BF
                                                  • SetThreadContext.KERNEL32(?,00000000), ref: 047C77DC
                                                  • ResumeThread.KERNEL32(?), ref: 047C77E9
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 047C7801
                                                  • GetCurrentProcess.KERNEL32(?), ref: 047C780C
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 047C7826
                                                  • GetLastError.KERNEL32 ref: 047C782E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                  • String ID: ntdll
                                                  • API String ID: 3275803005-3337577438
                                                  • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                  • Instruction ID: 6d7ae4bbac6eb535a07c50a2df1624afbfaeeb4a160d34eac0a068bad4cbbbb2
                                                  • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                  • Instruction Fuzzy Hash: B9A16B71504309AFD7109F69DC89B6B7BE8FB48345F00082DF689D6261EB75E444CF6A
                                                  Function 047B52A9 Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 280sleepfileprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 047B52F5
                                                    • Part of subcall function 047E3736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 047E3740
                                                    • Part of subcall function 047E3736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 047E3773
                                                    • Part of subcall function 047B46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 047B4764
                                                  • __Init_thread_footer.LIBCMT ref: 047B5332
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 047B544E
                                                    • Part of subcall function 047E3780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 047E378B
                                                    • Part of subcall function 047E3780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 047E37C8
                                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 047B54A6
                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 047B54CB
                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 047B54F8
                                                    • Part of subcall function 047E3B0C: __onexit.LIBCMT ref: 047E3B12
                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 047B55F5
                                                  • Sleep.KERNEL32(00000064,00000062,00465554), ref: 047B560F
                                                  • TerminateProcess.KERNEL32(00000000), ref: 047B5628
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFileInit_thread_footerLeaveProcessSleep$CreateNamedPeekPipeReadTerminateWrite__onexitsend
                                                  • String ID: P\G$P\G$P\G$P\G$P\G$cmd.exe
                                                  • API String ID: 121539554-3292008770
                                                  • Opcode ID: 797804256bd83e4a27056d5b7dd8b844625091c3a01af072158c3512f2156987
                                                  • Instruction ID: 012d6dea6b43ebc385c47b337b15e5480c479c329d30c7c472d9fa0c41e80a85
                                                  • Opcode Fuzzy Hash: 797804256bd83e4a27056d5b7dd8b844625091c3a01af072158c3512f2156987
                                                  • Instruction Fuzzy Hash: B691FA71600704BFE711BB64ED88FAE3759AB4434CF404439F989AF3A1EE74B8448B99
                                                  Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$EnvironmentVariable$_wcschr
                                                  • String ID:
                                                  • API String ID: 3899193279-0
                                                  • Opcode ID: d6c3568854ab9731ece1a4fc0838d18eb16a085305ec0bc3f11ac090e717a010
                                                  • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                  • Opcode Fuzzy Hash: d6c3568854ab9731ece1a4fc0838d18eb16a085305ec0bc3f11ac090e717a010
                                                  • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                  Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                    • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                  • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                  • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                  • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                  • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                  • Sleep.KERNEL32(00000064), ref: 00412060
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                  • String ID: /stext "$HDG$HDG$>G$>G
                                                  • API String ID: 1223786279-3931108886
                                                  • Opcode ID: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                  • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                  • Opcode Fuzzy Hash: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                  • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                  Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                  • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                  • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                  • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                  • API String ID: 2490988753-744132762
                                                  • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                  • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                  • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                  • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                  Function 047BC16B Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 260registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047C1900: TerminateProcess.KERNEL32(00000000,?,047BC8E4), ref: 047C1910
                                                    • Part of subcall function 047C1900: WaitForSingleObject.KERNEL32(000000FF,?,047BC8E4), ref: 047C1923
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 047BC27A
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 047BC28D
                                                    • Part of subcall function 047CAD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,047B3CA7), ref: 047CADC6
                                                  • ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000000), ref: 047BC4E7
                                                  • ExitProcess.KERNEL32 ref: 047BC4EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentDeleteExecuteExitFileModuleNameObjectShellSingleTerminateWait
                                                  • String ID: @CG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$`=G$exepath$fso.DeleteFolder "$pth_unenc$while fso.FileExists("
                                                  • API String ID: 508158800-1730539264
                                                  • Opcode ID: a33fc09c9556ef91ef2cee6c22be68f1294df09e9ea1a498d22c8dae3f6f7800
                                                  • Instruction ID: b0875444d2e3be3c6fc688d6b83b7accb2bc9f3d52ef6cd09c31a25eeb1b9c8f
                                                  • Opcode Fuzzy Hash: a33fc09c9556ef91ef2cee6c22be68f1294df09e9ea1a498d22c8dae3f6f7800
                                                  • Instruction Fuzzy Hash: DB8191216042405BE725FB24D858FFF73A9AF90708F10886EE4C6973A1EF64B949C7D6
                                                  Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                  • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnumOpen
                                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                  • API String ID: 1332880857-3714951968
                                                  • Opcode ID: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                  • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                  • Opcode Fuzzy Hash: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                  • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                  Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$Info
                                                  • String ID:
                                                  • API String ID: 2509303402-0
                                                  • Opcode ID: b14a965b39bb1d0005d45ccd5bea58761e7af8827e3441e20a468d8cef86605e
                                                  • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                  • Opcode Fuzzy Hash: b14a965b39bb1d0005d45ccd5bea58761e7af8827e3441e20a468d8cef86605e
                                                  • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                  Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                  • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                  • __aulldiv.LIBCMT ref: 00407FE9
                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                  • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                  • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                  • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                  • API String ID: 1884690901-3066803209
                                                  • Opcode ID: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                  • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                  • Opcode Fuzzy Hash: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                  • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                  Function 047BC4F5 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 282registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047C1900: TerminateProcess.KERNEL32(00000000,?,047BC8E4), ref: 047C1910
                                                    • Part of subcall function 047C1900: WaitForSingleObject.KERNEL32(000000FF,?,047BC8E4), ref: 047C1923
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 047BC5F2
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 047BC605
                                                    • Part of subcall function 047CB7F6: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,047CB90C,00000000,00000000,?), ref: 047CB835
                                                  • ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000000), ref: 047BC899
                                                  • ExitProcess.KERNEL32 ref: 047BC8A5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileProcess$CreateDeleteExecuteExitModuleNameObjectShellSingleTerminateWait
                                                  • String ID: @CG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$`=G$exepath$fso.DeleteFolder "$while fso.FileExists("
                                                  • API String ID: 1359289687-1885488838
                                                  • Opcode ID: 4a4176d209088168477d8c341ab9c6af581995fbe5fc9bf84f99647e44242b62
                                                  • Instruction ID: 4aa8d597cae2ce7e3e8a4b606880a9085c7a6c0ef4b760ffc7ceaf22ca961d95
                                                  • Opcode Fuzzy Hash: 4a4176d209088168477d8c341ab9c6af581995fbe5fc9bf84f99647e44242b62
                                                  • Instruction Fuzzy Hash: FA9161316052405AE325FB24D85CBFF73999F91708F10886EE8C6973A1EF24B949C7D6
                                                  Function 047BBECE Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 047BBEDC
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 047BBEF5
                                                  • _wcslen.LIBCMT ref: 047BBFBB
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 047BC043
                                                  • _wcslen.LIBCMT ref: 047BC09B
                                                  • CloseHandle.KERNEL32 ref: 047BC102
                                                  • ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000001), ref: 047BC120
                                                  • ExitProcess.KERNEL32 ref: 047BC137
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcslen$CreateDirectory$CloseExecuteExitHandleProcessShell
                                                  • String ID: 6$C:\Users\user\Desktop\advancePayment-pdf.exe$BG$BG
                                                  • API String ID: 3303048660-1164269948
                                                  • Opcode ID: 0ce300c52b2574979d2682925cabc15749f3fad58451f58e2d3683bc22aef4dd
                                                  • Instruction ID: ce6b1ee594f6848b462f36da2ffc44016fa51a13fe961ebdf2c6306fa0b0c3e4
                                                  • Opcode Fuzzy Hash: 0ce300c52b2574979d2682925cabc15749f3fad58451f58e2d3683bc22aef4dd
                                                  • Instruction Fuzzy Hash: 4551C320304B006BE719B774AC5CFFF23999F94648F10886DF48696392EF58B945C3EA
                                                  Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00001388), ref: 00409E62
                                                    • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                    • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                    • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                    • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                  • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                  • API String ID: 3795512280-3163867910
                                                  • Opcode ID: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                  • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                  • Opcode Fuzzy Hash: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                  • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                  Function 047BA0AF Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00001388), ref: 047BA0C9
                                                    • Part of subcall function 047B9FFE: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,047BA0D6), ref: 047BA034
                                                    • Part of subcall function 047B9FFE: GetFileSize.KERNEL32(00000000,00000000,?,?,?,047BA0D6), ref: 047BA043
                                                    • Part of subcall function 047B9FFE: Sleep.KERNEL32(00002710,?,?,?,047BA0D6), ref: 047BA070
                                                    • Part of subcall function 047B9FFE: CloseHandle.KERNEL32(00000000,?,?,?,047BA0D6), ref: 047BA077
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 047BA105
                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 047BA116
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 047BA12D
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 047BA1A7
                                                    • Part of subcall function 047CB881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,047B3D5A,00465324), ref: 047CB89A
                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 047BA2B0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                  • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                  • API String ID: 3795512280-3163867910
                                                  • Opcode ID: f1eb223cb7d2e6894d1a2c78ceddde7f199078b5105718b7a6d2036e1116f8b0
                                                  • Instruction ID: bab749b695daea56d0882188224d4f45573dee8f07685d69b263f3ca58f9c8ef
                                                  • Opcode Fuzzy Hash: f1eb223cb7d2e6894d1a2c78ceddde7f199078b5105718b7a6d2036e1116f8b0
                                                  • Instruction Fuzzy Hash: BF518F203053045BE715BB74986CBFE339A9F94248F0048ADFAC6A7392EE25B905C3D6
                                                  Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                  • _free.LIBCMT ref: 004500A6
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 004500C8
                                                  • _free.LIBCMT ref: 004500DD
                                                  • _free.LIBCMT ref: 004500E8
                                                  • _free.LIBCMT ref: 0045010A
                                                  • _free.LIBCMT ref: 0045011D
                                                  • _free.LIBCMT ref: 0045012B
                                                  • _free.LIBCMT ref: 00450136
                                                  • _free.LIBCMT ref: 0045016E
                                                  • _free.LIBCMT ref: 00450175
                                                  • _free.LIBCMT ref: 00450192
                                                  • _free.LIBCMT ref: 004501AA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                  • String ID:
                                                  • API String ID: 161543041-0
                                                  • Opcode ID: faacf6b4bb81b45a83147fb9adff4e05844f6cf768354ace108b4a4fc8ad935e
                                                  • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                  • Opcode Fuzzy Hash: faacf6b4bb81b45a83147fb9adff4e05844f6cf768354ace108b4a4fc8ad935e
                                                  • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                  Function 048002D4 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___free_lconv_mon.LIBCMT ref: 04800318
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF567
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF579
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF58B
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF59D
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF5AF
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF5C1
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF5D3
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF5E5
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF5F7
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF609
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF61B
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF62D
                                                    • Part of subcall function 047FF54A: _free.LIBCMT ref: 047FF63F
                                                  • _free.LIBCMT ref: 0480030D
                                                    • Part of subcall function 047F6D2C: HeapFree.KERNEL32(00000000,00000000,?,047FFCB7,?,00000000,?,00000000,?,047FFF5B,?,00000007,?,?,0480046C,?), ref: 047F6D42
                                                    • Part of subcall function 047F6D2C: GetLastError.KERNEL32(?,?,047FFCB7,?,00000000,?,00000000,?,047FFF5B,?,00000007,?,?,0480046C,?,?), ref: 047F6D54
                                                  • _free.LIBCMT ref: 0480032F
                                                  • _free.LIBCMT ref: 04800344
                                                  • _free.LIBCMT ref: 0480034F
                                                  • _free.LIBCMT ref: 04800371
                                                  • _free.LIBCMT ref: 04800384
                                                  • _free.LIBCMT ref: 04800392
                                                  • _free.LIBCMT ref: 0480039D
                                                  • _free.LIBCMT ref: 048003D5
                                                  • _free.LIBCMT ref: 048003DC
                                                  • _free.LIBCMT ref: 048003F9
                                                  • _free.LIBCMT ref: 04800411
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                  • String ID:
                                                  • API String ID: 161543041-0
                                                  • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                  • Instruction ID: 7934eeda6e88ef4b66f10e9161323b0a9511072492819d9c5bb88fb424c2211d
                                                  • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                  • Instruction Fuzzy Hash: 3A315E31514604DFEBA2AA38EC48B5A77FAEF02354F158A29E598D72A0DF32BD41C714
                                                  Function 047C119D Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 238threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcessId.KERNEL32 ref: 047C11AC
                                                    • Part of subcall function 047C2A3C: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 047C2A4A
                                                    • Part of subcall function 047C2A3C: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,047BBBB3,004660E0,00000001,000000AF,00465554), ref: 047C2A65
                                                    • Part of subcall function 047C2A3C: RegCloseKey.ADVAPI32(?,?,?,?,047BBBB3,004660E0,00000001,000000AF,00465554), ref: 047C2A70
                                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 047C11E8
                                                  • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 047C124D
                                                    • Part of subcall function 047C271E: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 047C273E
                                                    • Part of subcall function 047C271E: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 047C275C
                                                    • Part of subcall function 047C271E: RegCloseKey.ADVAPI32(00000000), ref: 047C2767
                                                  • CloseHandle.KERNEL32(00000000), ref: 047C11F7
                                                    • Part of subcall function 047CA8ED: GetLocalTime.KERNEL32(00000000), ref: 047CA907
                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 047C14C1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                  • String ID: 0DG$TTF$WDH$BG
                                                  • API String ID: 65172268-1505503698
                                                  • Opcode ID: cfd1e48dead6c5d3f6b6817fbfe2d8e6c01e86e7030477cd0b94be603cb5524d
                                                  • Instruction ID: 0201eaf26e70c658d021140a2cebbfd01f7c47772b3f96b36173f4ab8f4178b7
                                                  • Opcode Fuzzy Hash: cfd1e48dead6c5d3f6b6817fbfe2d8e6c01e86e7030477cd0b94be603cb5524d
                                                  • Instruction Fuzzy Hash: 3771713160520057E614FB70DC5DBEE73A4AF90749F4009ADF482963A2EF24BA49CBE7
                                                  Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0041912D
                                                  • 73525D90.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                  • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                  • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$73525CreateDirectoryH_prologLocalTime
                                                  • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                  • API String ID: 751002821-65789007
                                                  • Opcode ID: 91d1b4f4dea65f3b826fcaa200c07d0103cb4320fd1aa60c718ca5279f5f8068
                                                  • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                  • Opcode Fuzzy Hash: 91d1b4f4dea65f3b826fcaa200c07d0103cb4320fd1aa60c718ca5279f5f8068
                                                  • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                  Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • connect.WS2_32(?,?,?), ref: 004042A5
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                  • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                  • API String ID: 994465650-2151626615
                                                  • Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                  • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                  • Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                  • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                  Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                    • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                    • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                    • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                  • ExitProcess.KERNEL32 ref: 0040C832
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                  • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                  • API String ID: 1913171305-390638927
                                                  • Opcode ID: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                                  • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                  • Opcode Fuzzy Hash: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                                  • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                  Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 3f4ff203a67a5a9bdd9d7d6c4da54c5104c87bdfe27179d81656f8c7616d6e4f
                                                  • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                  • Opcode Fuzzy Hash: 3f4ff203a67a5a9bdd9d7d6c4da54c5104c87bdfe27179d81656f8c7616d6e4f
                                                  • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                  Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                  • closesocket.WS2_32(?), ref: 0040481F
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404856
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404867
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 0040486E
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404880
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404885
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040488A
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404895
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040489A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                  • String ID:
                                                  • API String ID: 3658366068-0
                                                  • Opcode ID: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                  • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                  • Opcode Fuzzy Hash: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                  • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                  Function 047B8056 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 325fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 047B81B3
                                                  • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 047B8229
                                                  • __aulldiv.LIBCMT ref: 047B8250
                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 047B8374
                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 047B838F
                                                  • CloseHandle.KERNEL32(00000000), ref: 047B8467
                                                  • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 047B8481
                                                  • CloseHandle.KERNEL32(00000000), ref: 047B84BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                  • String ID: Uploading file to Controller: $>G
                                                  • API String ID: 1884690901-111729153
                                                  • Opcode ID: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                  • Instruction ID: 3aaf9c6b88605cb37ab2a9e66ad019164cf336fb35d6e67aa8bec26e4682f39a
                                                  • Opcode Fuzzy Hash: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                  • Instruction Fuzzy Hash: 0CB170716083409FD624FB24D858BEEB7E9AB84314F40495DF9C993391EF34A9098BD7
                                                  Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                  • GetLastError.KERNEL32 ref: 00454A96
                                                  • __dosmaperr.LIBCMT ref: 00454A9D
                                                  • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                  • GetLastError.KERNEL32 ref: 00454AB3
                                                  • __dosmaperr.LIBCMT ref: 00454ABC
                                                  • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                  • CloseHandle.KERNEL32(?), ref: 00454C26
                                                  • GetLastError.KERNEL32 ref: 00454C58
                                                  • __dosmaperr.LIBCMT ref: 00454C5F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                  • String ID: H
                                                  • API String ID: 4237864984-2852464175
                                                  • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                  • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                  • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                  • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                  Function 047C938F Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 047C9394
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 047C9452
                                                  • Sleep.KERNEL32(000003E8), ref: 047C94D4
                                                  • GetLocalTime.KERNEL32(?), ref: 047C94E3
                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 047C95CC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$CreateDirectoryH_prologLocalTime
                                                  • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                  • API String ID: 3069631530-65789007
                                                  • Opcode ID: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
                                                  • Instruction ID: df222fa20af2b60508d89456913d4286ebe11d3d54ed630f3dd3c134d1e1068e
                                                  • Opcode Fuzzy Hash: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
                                                  • Instruction Fuzzy Hash: F851C1B1A002449AEF54BBB4CC5CBFE77B8AB44304F40446DE586A7391EF246E85D791
                                                  Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 0040A456
                                                  • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                  • GetForegroundWindow.USER32 ref: 0040A467
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                  • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                  • String ID: [${ User has been idle for $ minutes }$]
                                                  • API String ID: 911427763-3954389425
                                                  • Opcode ID: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                  • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                  • Opcode Fuzzy Hash: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                  • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                  Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 65535$udp
                                                  • API String ID: 0-1267037602
                                                  • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                  • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                  • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                  • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                  Function 047C3ECE Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 65535$udp
                                                  • API String ID: 0-1267037602
                                                  • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                  • Instruction ID: 66fa404caa346e50d375d942f2b81c63e4125e2129fe66f1069ed2a2b7b73c2b
                                                  • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                  • Instruction Fuzzy Hash: CD410531288301ABE7209A29D918B3B7BE8EF85740F044D7DFD8597392E765F4808766
                                                  Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                  • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                  • __dosmaperr.LIBCMT ref: 004393CD
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                  • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                  • __dosmaperr.LIBCMT ref: 0043940A
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                  • __dosmaperr.LIBCMT ref: 0043945E
                                                  • _free.LIBCMT ref: 0043946A
                                                  • _free.LIBCMT ref: 00439471
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                  • String ID:
                                                  • API String ID: 2441525078-0
                                                  • Opcode ID: b3d99eb30153a4a004758303dd290a751ebef4594e1807878a1a95366dabc586
                                                  • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                  • Opcode Fuzzy Hash: b3d99eb30153a4a004758303dd290a751ebef4594e1807878a1a95366dabc586
                                                  • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                  Function 047E95C8 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,047B1D3F,?,00000050,00465290,00000000), ref: 047E9620
                                                  • GetLastError.KERNEL32(?,?,047B1D3F,?,00000050,00465290,00000000), ref: 047E962D
                                                  • __dosmaperr.LIBCMT ref: 047E9634
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,047B1D3F,?,00000050,00465290,00000000), ref: 047E9660
                                                  • GetLastError.KERNEL32(?,?,?,047B1D3F,?,00000050,00465290,00000000), ref: 047E966A
                                                  • __dosmaperr.LIBCMT ref: 047E9671
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00465290,00000000,00000000,?,?,?,?,?,?,047B1D3F,?), ref: 047E96B4
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,047B1D3F,?,00000050,00465290,00000000), ref: 047E96BE
                                                  • __dosmaperr.LIBCMT ref: 047E96C5
                                                  • _free.LIBCMT ref: 047E96D1
                                                  • _free.LIBCMT ref: 047E96D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                  • String ID:
                                                  • API String ID: 2441525078-0
                                                  • Opcode ID: 7dca9c723f0a3f3e5eee78a7163c4708e0db19878e5bf6bf14be5ff931373868
                                                  • Instruction ID: 834315db1bf5cafec602a382472f4c711046aabe6a2710dea9a5509b77679cd9
                                                  • Opcode Fuzzy Hash: 7dca9c723f0a3f3e5eee78a7163c4708e0db19878e5bf6bf14be5ff931373868
                                                  • Instruction Fuzzy Hash: 523190F250420AFFDF116FA6DC489BE3B79EF08365F14026AFA1056350EA31E951DB61
                                                  Function 047C89BB Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0$1$2$3$4$5$6$7
                                                  • API String ID: 0-3177665633
                                                  • Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                  • Instruction ID: bf1029daaa9fb79fa5d9b44a5b8c9a67ce4926eca879aed8869c2d95fe14c105
                                                  • Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                  • Instruction Fuzzy Hash: 3861BC75589301AEEB00EF20D954BEA7BA4AF95711F41488DF5C1573E2DB30AA08CBE3
                                                  Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                  • TranslateMessage.USER32(?), ref: 00404F30
                                                  • DispatchMessageA.USER32(?), ref: 00404F3B
                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                  • API String ID: 2956720200-749203953
                                                  • Opcode ID: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                  • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                  • Opcode Fuzzy Hash: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                  • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                  Function 047B50B9 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 047B50D8
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 047B5188
                                                  • TranslateMessage.USER32(?), ref: 047B5197
                                                  • DispatchMessageA.USER32(?), ref: 047B51A2
                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 047B525A
                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 047B5292
                                                    • Part of subcall function 047B46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 047B4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                  • API String ID: 2956720200-749203953
                                                  • Opcode ID: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                  • Instruction ID: 3155f8602c78492d3b4e20839d2d34a9916a260602d8669cbf589a602c941902
                                                  • Opcode Fuzzy Hash: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                  • Instruction Fuzzy Hash: 9A41CF316042006BDB14BB789C5CAEE37A8AB85758F40096CF996833A5EF34FA05C796
                                                  Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                  • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                  • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00416EF0
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                  • String ID: <$@$@FG$@FG$Temp
                                                  • API String ID: 1107811701-2245803885
                                                  • Opcode ID: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                  • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                  • Opcode Fuzzy Hash: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                  • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                  Function 047C708E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 047C718B
                                                  • CloseHandle.KERNEL32(00000000), ref: 047C7194
                                                  • DeleteFileA.KERNEL32(00000000), ref: 047C71A3
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 047C7157
                                                    • Part of subcall function 047B46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 047B4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                  • String ID: <$@$@FG$@FG$TUF
                                                  • API String ID: 1107811701-3315534519
                                                  • Opcode ID: c09cddb986173b223f0ae78b0a5cb3d5da982f6b9b7ae30d07bc44f4aa3a3996
                                                  • Instruction ID: f7924161315bf56670cb9a2d814ff00698c4a08c8bb9ceb9f219f278bbabced1
                                                  • Opcode Fuzzy Hash: c09cddb986173b223f0ae78b0a5cb3d5da982f6b9b7ae30d07bc44f4aa3a3996
                                                  • Instruction Fuzzy Hash: 2C31A3319002099BEB15FBA4DC5DBFE7735AF50308F0041A8E546663E1EF746A8ACBD0
                                                  Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                  • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\advancePayment-pdf.exe), ref: 00406705
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CurrentProcess
                                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                  • API String ID: 2050909247-4145329354
                                                  • Opcode ID: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                                  • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                  • Opcode Fuzzy Hash: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                                  • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                  Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                  • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                  • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                  • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                  Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00446DDF
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 00446DEB
                                                  • _free.LIBCMT ref: 00446DF6
                                                  • _free.LIBCMT ref: 00446E01
                                                  • _free.LIBCMT ref: 00446E0C
                                                  • _free.LIBCMT ref: 00446E17
                                                  • _free.LIBCMT ref: 00446E22
                                                  • _free.LIBCMT ref: 00446E2D
                                                  • _free.LIBCMT ref: 00446E38
                                                  • _free.LIBCMT ref: 00446E46
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 00af59d8f77d525f5e577cea987aee6716e3e1816d324df57a49cd5bbf2e2e6f
                                                  • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                  • Opcode Fuzzy Hash: 00af59d8f77d525f5e577cea987aee6716e3e1816d324df57a49cd5bbf2e2e6f
                                                  • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                  Function 047F7032 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 047F7046
                                                    • Part of subcall function 047F6D2C: HeapFree.KERNEL32(00000000,00000000,?,047FFCB7,?,00000000,?,00000000,?,047FFF5B,?,00000007,?,?,0480046C,?), ref: 047F6D42
                                                    • Part of subcall function 047F6D2C: GetLastError.KERNEL32(?,?,047FFCB7,?,00000000,?,00000000,?,047FFF5B,?,00000007,?,?,0480046C,?,?), ref: 047F6D54
                                                  • _free.LIBCMT ref: 047F7052
                                                  • _free.LIBCMT ref: 047F705D
                                                  • _free.LIBCMT ref: 047F7068
                                                  • _free.LIBCMT ref: 047F7073
                                                  • _free.LIBCMT ref: 047F707E
                                                  • _free.LIBCMT ref: 047F7089
                                                  • _free.LIBCMT ref: 047F7094
                                                  • _free.LIBCMT ref: 047F709F
                                                  • _free.LIBCMT ref: 047F70AD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                  • Instruction ID: 92e9371608882992ed2f2d57873ea109494f2ab18f5abe0447ecfee9756a5864
                                                  • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                  • Instruction Fuzzy Hash: 8311727651010CAFDF45EFA4DC45CD93FB6EF04294B5190A5BA088F321DA32EE52DB84
                                                  Function 047C1EE8 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 479fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 047C1F01
                                                    • Part of subcall function 047CAD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,047B3CA7), ref: 047CADC6
                                                    • Part of subcall function 047C791D: CloseHandle.KERNEL32(047B3D20,?,?,047B3D20,00465324), ref: 047C7933
                                                    • Part of subcall function 047C791D: CloseHandle.KERNEL32($SF,?,?,047B3D20,00465324), ref: 047C793C
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 047C21F8
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 047C222F
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 047C226B
                                                    • Part of subcall function 047B46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 047B4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                  • String ID: HDG$HDG$>G$>G
                                                  • API String ID: 1937857116-1666402509
                                                  • Opcode ID: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                  • Instruction ID: 5c214b765c4e0d593a4ef36551610d81b4f4a2b58bac53bfe8e7a13d32ae076d
                                                  • Opcode Fuzzy Hash: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                  • Instruction Fuzzy Hash: 780224316493414EE339FB64D86CBEE73D5AF94304F5048ADE5CA42392EE70BA49C792
                                                  Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Eventinet_ntoa
                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                  • API String ID: 3578746661-4192532303
                                                  • Opcode ID: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                                  • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                  • Opcode Fuzzy Hash: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                                  • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                  Function 047C057B Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Eventinet_ntoa
                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                  • API String ID: 3578746661-4192532303
                                                  • Opcode ID: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                                  • Instruction ID: 0113eb85a39417c734d7df004be96ed61846e2f5445e05f75e4735f01d681826
                                                  • Opcode Fuzzy Hash: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                                  • Instruction Fuzzy Hash: 2C511531A042409FEB18FB78C85DBAE36E49B80344F40496DE48A973A1EF34BD45CBC6
                                                  Function 047CA422 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 180synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 047CA519
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 047CA555
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 047CA566
                                                  • SetEvent.KERNEL32 ref: 047CA5F1
                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 047CA602
                                                  • CloseHandle.KERNEL32 ref: 047CA612
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
                                                  • String ID: TUF$open "
                                                  • API String ID: 1811012380-2979349893
                                                  • Opcode ID: afa000e900512d794b59872f8fe6b6e7421b33da501b9bd85e28326864c8fc87
                                                  • Instruction ID: e6390c17f908f51ffbb5c59c577498b55f1c4479aa84a832d05f59a8ef45cc27
                                                  • Opcode Fuzzy Hash: afa000e900512d794b59872f8fe6b6e7421b33da501b9bd85e28326864c8fc87
                                                  • Instruction Fuzzy Hash: 9551B3612042086FE214BB34EC89FFF375CDB80749F10046EF585A63A2EE20BD49C7A6
                                                  Function 047BA65B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 158sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 047BA6BD
                                                  • Sleep.KERNEL32(000001F4), ref: 047BA6C8
                                                  • GetForegroundWindow.USER32 ref: 047BA6CE
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 047BA6D7
                                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 047BA70B
                                                  • Sleep.KERNEL32(000003E8), ref: 047BA7DB
                                                    • Part of subcall function 047B9FBF: SetEvent.KERNEL32(00000000,?,00000000,047BAB83,00000000), ref: 047B9FEB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                  • String ID: [${ User has been idle for
                                                  • API String ID: 911427763-3934435721
                                                  • Opcode ID: 6d776f70f920023e5288755160ba8f24f5da9fa6db96a00e1421ea32c0579234
                                                  • Instruction ID: add8db4ea4cccb065b71bc29343bc43026aeac71e0f52ab0a6f6918b927d708f
                                                  • Opcode Fuzzy Hash: 6d776f70f920023e5288755160ba8f24f5da9fa6db96a00e1421ea32c0579234
                                                  • Instruction Fuzzy Hash: 3551E1716086005BE324FB34D85CBEE77A8AF84718F10496DF8C6873A1EF64BA05C6D6
                                                  Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlDecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DecodePointer
                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                  • API String ID: 3527080286-3064271455
                                                  • Opcode ID: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                  • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                  • Opcode Fuzzy Hash: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                  • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                  Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  • Sleep.KERNEL32(00000064), ref: 00416688
                                                  • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                  • API String ID: 1462127192-2001430897
                                                  • Opcode ID: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                                  • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                  • Opcode Fuzzy Hash: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                                  • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                  Function 047C708B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 102filesynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 047C718B
                                                  • CloseHandle.KERNEL32(00000000), ref: 047C7194
                                                  • DeleteFileA.KERNEL32(00000000), ref: 047C71A3
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 047C7157
                                                    • Part of subcall function 047B46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 047B4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                  • String ID: <$@$@FG$TUF
                                                  • API String ID: 1107811701-3349172182
                                                  • Opcode ID: b36bc87eb4507af4992a544fbd13103342267bc18c2cc7e8b00c7cda52f17d37
                                                  • Instruction ID: eadfd70bafe73cdcc50c15220dbbaecd216e8d510f0c6546a2844fc9560a902b
                                                  • Opcode Fuzzy Hash: b36bc87eb4507af4992a544fbd13103342267bc18c2cc7e8b00c7cda52f17d37
                                                  • Instruction Fuzzy Hash: BA3180319002099BEB15FBA4DC5DBFE7734AF50348F0041A8E546663E1EF746A8ACF90
                                                  Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strftime.LIBCMT ref: 00401AD3
                                                    • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                  • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                  • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                  • API String ID: 3809562944-3643129801
                                                  • Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                  • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                  • Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                  • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                  Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                  • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                  • waveInStart.WINMM ref: 00401A81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                  • String ID: XCG$`=G$x=G
                                                  • API String ID: 1356121797-903574159
                                                  • Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                  • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                  • Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                  • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                  Function 047B1BD2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 047B1BE2
                                                  • waveInOpen.WINMM(00471AF8,000000FF,00471B00,00401A8E,00000000,00000000,00000024), ref: 047B1C78
                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 047B1CCD
                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 047B1CDC
                                                  • waveInStart.WINMM ref: 047B1CE8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                  • String ID: XCG$`=G$x=G
                                                  • API String ID: 1356121797-903574159
                                                  • Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                  • Instruction ID: d6853a61206f0e590e036f10bbfb9d9e40394cdf8687bf22582408c8ddcef98f
                                                  • Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                  • Instruction Fuzzy Hash: B02183316027019BC714DF7DBD19A5A7BA9FB84741B00893AE11DD77B0EBB49881CB4C
                                                  Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                    • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                    • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                    • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                  • lstrcpyn.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                  • Shell_NotifyIcon.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                  • TranslateMessage.USER32(?), ref: 0041C9FB
                                                  • DispatchMessageA.USER32(?), ref: 0041CA05
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                  • String ID: Remcos
                                                  • API String ID: 1970332568-165870891
                                                  • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                  • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                  • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                  • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                  Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 542e50097625d3a0ecb36086de4ff1bdff242fcb47b56a142522dfc7620134ea
                                                  • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                  • Opcode Fuzzy Hash: 542e50097625d3a0ecb36086de4ff1bdff242fcb47b56a142522dfc7620134ea
                                                  • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                  Function 047FB6B7 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b50f87e948356266a42ac280b2451f101745a062afa0556d4abdae292072cfe6
                                                  • Instruction ID: 7bb6fb426fcef20bf27b4b25e6c195d0363fced5f4ced09f26078d736d5e8504
                                                  • Opcode Fuzzy Hash: b50f87e948356266a42ac280b2451f101745a062afa0556d4abdae292072cfe6
                                                  • Instruction Fuzzy Hash: 0DC1B174E08249EFDB11DFA8CC44BADBBB5BF4A310F044199EA15AB392D734B941CB61
                                                  Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                  • __alloca_probe_16.LIBCMT ref: 00452C91
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                  • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                  • __freea.LIBCMT ref: 00452DAA
                                                  • __freea.LIBCMT ref: 00452DB6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                  • String ID:
                                                  • API String ID: 201697637-0
                                                  • Opcode ID: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                  • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                  • Opcode Fuzzy Hash: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                  • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                  Function 047F533C Relevance: 13.7, APIs: 9, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 5328bd0f7edc37ac40c0d0f8fad2384ac8a9632e9013bb03371bda9eca2e0847
                                                  • Instruction ID: 509885afd89ff80b316e4632b385d40c2257b8af80a93b1683c744a61cab0fc8
                                                  • Opcode Fuzzy Hash: 5328bd0f7edc37ac40c0d0f8fad2384ac8a9632e9013bb03371bda9eca2e0847
                                                  • Instruction Fuzzy Hash: 2B518F31904249AFDB11DF78C840BEEBBF2FF09308F1445A9E995AB352D676A806DB50
                                                  Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                  • _free.LIBCMT ref: 00444714
                                                  • _free.LIBCMT ref: 0044472D
                                                  • _free.LIBCMT ref: 0044475F
                                                  • _free.LIBCMT ref: 00444768
                                                  • _free.LIBCMT ref: 00444774
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                  • String ID: C
                                                  • API String ID: 1679612858-1037565863
                                                  • Opcode ID: a4aaba7c5d6e4864366ae43cbb97ffcd954b9c55f36d7d5844e70b80c55bd2cc
                                                  • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                  • Opcode Fuzzy Hash: a4aaba7c5d6e4864366ae43cbb97ffcd954b9c55f36d7d5844e70b80c55bd2cc
                                                  • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                  Function 047F4660 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047F7126: GetLastError.KERNEL32(?,047EE4C7,047E9583,047EE4C7,00475B70,?,047EBBBC,FF8BC35D,00475B70,00473EE8), ref: 047F712A
                                                    • Part of subcall function 047F7126: _free.LIBCMT ref: 047F715D
                                                    • Part of subcall function 047F7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F719E
                                                    • Part of subcall function 047F7126: _abort.LIBCMT ref: 047F71A4
                                                  • _memcmp.LIBVCRUNTIME ref: 047F490A
                                                  • _free.LIBCMT ref: 047F497B
                                                  • _free.LIBCMT ref: 047F4994
                                                  • _free.LIBCMT ref: 047F49C6
                                                  • _free.LIBCMT ref: 047F49CF
                                                  • _free.LIBCMT ref: 047F49DB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                  • String ID: C
                                                  • API String ID: 1679612858-1037565863
                                                  • Opcode ID: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
                                                  • Instruction ID: a1ee345fd81b48bc54266ab2a0701e0ea7959c78b5bd46461b2da944b103997a
                                                  • Opcode Fuzzy Hash: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
                                                  • Instruction Fuzzy Hash: BFB13875A016199FDB24DF28CC88AAEB7B4FB58314F1045AADA49A7350E731BE90CF40
                                                  Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tcp$udp
                                                  • API String ID: 0-3725065008
                                                  • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                  • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                  • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                  • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                  Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 004017BC
                                                    • Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                    • Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                  • RtlExitUserThread.KERNEL32(00000000), ref: 004017F4
                                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                    • Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                    • Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                    • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                                                  • String ID: T=G$p[G$>G$>G
                                                  • API String ID: 2307665288-2461731529
                                                  • Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                  • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                  • Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                  • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                  Function 047B19CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 047B1A23
                                                    • Part of subcall function 047E3736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 047E3740
                                                    • Part of subcall function 047E3736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 047E3773
                                                  • RtlExitUserThread.NTDLL(00000000), ref: 047B1A5B
                                                  • waveInUnprepareHeader.WINMM(00001E64,00000020,00000000,?,00000020,00473EE8,00000000), ref: 047B1B69
                                                    • Part of subcall function 047E3780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 047E378B
                                                    • Part of subcall function 047E3780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 047E37C8
                                                    • Part of subcall function 047E3B0C: __onexit.LIBCMT ref: 047E3B12
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                                                  • String ID: T=G$p[G$>G$>G
                                                  • API String ID: 2307665288-2461731529
                                                  • Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                  • Instruction ID: 45dec68deb99ed5eb928e12552fe09acbfca146c83a83bc2b7e5b99dd0c9374e
                                                  • Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                  • Instruction Fuzzy Hash: 1641F6316052045BE324FB68DCACFFE73A5EB84318F40456DE5899A3E1DF30B945CA96
                                                  Function 047C2EEF Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 047C2F28
                                                    • Part of subcall function 047C2C11: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 047C2C84
                                                    • Part of subcall function 047C2C11: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 047C2CB3
                                                    • Part of subcall function 047B46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 047B4764
                                                  • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 047C3098
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnumInfoOpenQuerysend
                                                  • String ID: TUF$TUFTUF$>G$DG$DG
                                                  • API String ID: 3114080316-72097156
                                                  • Opcode ID: 09c09115532b36cedb4214abfd7c567596c85741be2dd330b3884bc25d138105
                                                  • Instruction ID: a4e60fef81d1e6661dbad29c3b1a10f78f6bf109d54c76fd8cf5256e4acba813
                                                  • Opcode Fuzzy Hash: 09c09115532b36cedb4214abfd7c567596c85741be2dd330b3884bc25d138105
                                                  • Instruction Fuzzy Hash: 7B41EA316092005BE324F728DC6CBEF73959FD0348F40846EE98A57391EF247D4986E6
                                                  Function 047B9D77 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 047B9DA6
                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 047B9DB2
                                                  • GetKeyboardLayout.USER32(00000000), ref: 047B9DB9
                                                  • GetKeyState.USER32(00000010), ref: 047B9DC3
                                                  • GetKeyboardState.USER32(?), ref: 047B9DCE
                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 047B9E83
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                                  • String ID: 8[G
                                                  • API String ID: 3566172867-1691237782
                                                  • Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                  • Instruction ID: 3dbf9f7f5741c8146a34f948b2292bba9652c97aff55cb75d9edb2c263d2deff
                                                  • Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                  • Instruction Fuzzy Hash: 5F314FB2504308AFD710DBA0DC44FDB7BECEB48755F40083ABA85961A1E6B1F548DB96
                                                  Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                    • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                    • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                  • String ID: .part
                                                  • API String ID: 1303771098-3499674018
                                                  • Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                  • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                  • Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                  • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                  Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                    • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                    • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                    • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                    • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                  • _wcslen.LIBCMT ref: 0041A8F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                  • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                  • API String ID: 3286818993-703403762
                                                  • Opcode ID: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                  • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                  • Opcode Fuzzy Hash: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                  • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                  Function 047B9C4B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 047B9C68
                                                  • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 047B9C76
                                                  • GetLastError.KERNEL32 ref: 047B9C82
                                                    • Part of subcall function 047CA8ED: GetLocalTime.KERNEL32(00000000), ref: 047CA907
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 047B9CD2
                                                  • TranslateMessage.USER32(?), ref: 047B9CE1
                                                  • DispatchMessageA.USER32(?), ref: 047B9CEC
                                                  Strings
                                                  • Keylogger initialization failure: error , xrefs: 047B9C99
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                  • String ID: Keylogger initialization failure: error
                                                  • API String ID: 3219506041-952744263
                                                  • Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                  • Instruction ID: 9ec30343a4cc8a61a56b0e1fb414463042262c5a6a409fbddff9653a54f870d4
                                                  • Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                  • Instruction Fuzzy Hash: E711C4B16043055B9310BB799C4DEAB77ECAB95616F00057EFD95C2350FA20E504C7E6
                                                  Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                  • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$Window$AllocOutputShow
                                                  • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                  • API String ID: 4067487056-2527699604
                                                  • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                  • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                  • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                  • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                  Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                                  • __alloca_probe_16.LIBCMT ref: 004499E2
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                                  • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                  • __freea.LIBCMT ref: 00449B37
                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  • __freea.LIBCMT ref: 00449B40
                                                  • __freea.LIBCMT ref: 00449B65
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3864826663-0
                                                  • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                  • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                  • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                  • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                  Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendInput.USER32 ref: 00418B08
                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                    • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InputSend$Virtual
                                                  • String ID:
                                                  • API String ID: 1167301434-0
                                                  • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                  • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                  • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                  • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                  Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32 ref: 00415A46
                                                  • EmptyClipboard.USER32 ref: 00415A54
                                                  • CloseClipboard.USER32 ref: 00415A5A
                                                  • OpenClipboard.USER32 ref: 00415A61
                                                  • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                  • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                  • CloseClipboard.USER32 ref: 00415A89
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                  • String ID:
                                                  • API String ID: 2172192267-0
                                                  • Opcode ID: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                  • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                  • Opcode Fuzzy Hash: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                  • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                  Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00447EBC
                                                  • _free.LIBCMT ref: 00447EE0
                                                  • _free.LIBCMT ref: 00448067
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                  • _free.LIBCMT ref: 00448233
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                  • String ID:
                                                  • API String ID: 314583886-0
                                                  • Opcode ID: 3dde711f480ac0738695f5a8503fa20da2fb9bf7f0081bee4f05996c5c1ab310
                                                  • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                  • Opcode Fuzzy Hash: 3dde711f480ac0738695f5a8503fa20da2fb9bf7f0081bee4f05996c5c1ab310
                                                  • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                  Function 047F80A1 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 047F8123
                                                  • _free.LIBCMT ref: 047F8147
                                                  • _free.LIBCMT ref: 047F82CE
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 047F82E0
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 047F8358
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 047F8385
                                                  • _free.LIBCMT ref: 047F849A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                  • String ID:
                                                  • API String ID: 314583886-0
                                                  • Opcode ID: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
                                                  • Instruction ID: 6bee10b184ff21a78066f4c9a17a31d57acb5fcead631e99acb722855d3797dc
                                                  • Opcode Fuzzy Hash: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
                                                  • Instruction Fuzzy Hash: E2C13871A04204EFEB24AF79CC48ABE7BB9EF42354F1541AEDA8497351E730BA41C751
                                                  Function 04802D91 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0480306A,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 04802E3D
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0480306A,00000000,00000000,?,00000001,?,?,?,?), ref: 04802EC0
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0480306A,?,0480306A,00000000,00000000,?,00000001,?,?,?,?), ref: 04802F53
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0480306A,00000000,00000000,?,00000001,?,?,?,?), ref: 04802F6A
                                                    • Part of subcall function 047F6D66: RtlAllocateHeap.NTDLL(00000000,047E468A,?), ref: 047F6D98
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0480306A,00000000,00000000,?,00000001,?,?,?,?), ref: 04802FE6
                                                  • __freea.LIBCMT ref: 04803011
                                                  • __freea.LIBCMT ref: 0480301D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                  • String ID:
                                                  • API String ID: 2829977744-0
                                                  • Opcode ID: 3bf6bddb58e2c22eb2473489dc4132bdb19f64c0de1c03d6ae40a4dd9e1f8fb6
                                                  • Instruction ID: e79e98c93197dc43b6edafdbf7b602b270dd083eae3d384e6944e6fe12145a72
                                                  • Opcode Fuzzy Hash: 3bf6bddb58e2c22eb2473489dc4132bdb19f64c0de1c03d6ae40a4dd9e1f8fb6
                                                  • Instruction Fuzzy Hash: BB91E371E2121A9ADF619E64CC48EEEBBB59F09754F148BA9EC00E72C1E775EC40C760
                                                  Function 047C3C2E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: udp
                                                  • API String ID: 0-4243565622
                                                  • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                  • Instruction ID: 04053e849eff8a0f6c4273a4f6d6c8f88b19c2aab916d381c74aed016ef5dde2
                                                  • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                  • Instruction Fuzzy Hash: E0719831608352CFDB25CF69948462ABAE5AF88745F04893EFC85D7391E774ED48CB82
                                                  Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 75b8808d159bdd1ed65da52d3cbfb4b7542675bdb6b2e41c4cbbb506887eb3e4
                                                  • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                  • Opcode Fuzzy Hash: 75b8808d159bdd1ed65da52d3cbfb4b7542675bdb6b2e41c4cbbb506887eb3e4
                                                  • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                  Function 047FFA6D Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                  • Instruction ID: b5062992ab0ffea2c715fb57f4ebe3525c6fcc3b44e6573d24693714da627720
                                                  • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                  • Instruction Fuzzy Hash: 7D61C171D00205AFEB60DF68CC41BAEBBF5EF05720F14416AEA58EB380EB71A941DB50
                                                  Function 047C0D80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 198memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047C0820: SetLastError.KERNEL32(0000000D,047C0D9F,?,00000000), ref: 047C0826
                                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,047C0D7C), ref: 047C0E2B
                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 047C0E91
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 047C0E98
                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 047C0FA6
                                                  • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,047C0D7C), ref: 047C0FD0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$Heap$AllocateInfoNativeProcessSystem
                                                  • String ID: A
                                                  • API String ID: 4001361727-520424720
                                                  • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                  • Instruction ID: 70918a8dcfcf7c95240c205960ec8e72af2ccbb5cea4d7a2703c30adb1b7cc10
                                                  • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                  • Instruction Fuzzy Hash: 3261C170205341EBDB20AFA5C984B2A7BE5BF84704F04852DF9058B382EBB4F895CBD5
                                                  Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  • _free.LIBCMT ref: 00444086
                                                  • _free.LIBCMT ref: 0044409D
                                                  • _free.LIBCMT ref: 004440BC
                                                  • _free.LIBCMT ref: 004440D7
                                                  • _free.LIBCMT ref: 004440EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$AllocateHeap
                                                  • String ID: J7D
                                                  • API String ID: 3033488037-1677391033
                                                  • Opcode ID: eaeb3ded63a01d9c1f23d7bcff7bc89c2d701c29ab2fd341963e47abe97ead25
                                                  • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                  • Opcode Fuzzy Hash: eaeb3ded63a01d9c1f23d7bcff7bc89c2d701c29ab2fd341963e47abe97ead25
                                                  • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                  Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                  • __fassign.LIBCMT ref: 0044A180
                                                  • __fassign.LIBCMT ref: 0044A19B
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                  • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                  • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                  • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                  • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                  • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                  Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID: HE$HE
                                                  • API String ID: 269201875-1978648262
                                                  • Opcode ID: dcd4a369333f7ebc1bbee210e2b83417e00f5266f87940496f0e2b8a6a3e947e
                                                  • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                  • Opcode Fuzzy Hash: dcd4a369333f7ebc1bbee210e2b83417e00f5266f87940496f0e2b8a6a3e947e
                                                  • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                  Function 047FA32A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,047FAA9F,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 047FA36C
                                                  • __fassign.LIBCMT ref: 047FA3E7
                                                  • __fassign.LIBCMT ref: 047FA402
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 047FA428
                                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,047FAA9F,00000000,?,?,?,?,?,?,?,?,?,047FAA9F,?), ref: 047FA447
                                                  • WriteFile.KERNEL32(?,?,00000001,047FAA9F,00000000,?,?,?,?,?,?,?,?,?,047FAA9F,?), ref: 047FA480
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: d742a0ed7e7f80d5daee9f90daca0257aad30d4fad8407fa3c2509fb5468b32f
                                                  • Instruction ID: 99750fef38f3d4d80b64757f5007467271bf2c637c7e08998f2e9117b3d5b324
                                                  • Opcode Fuzzy Hash: d742a0ed7e7f80d5daee9f90daca0257aad30d4fad8407fa3c2509fb5468b32f
                                                  • Instruction Fuzzy Hash: B151B671E002059FDB10CFA8DC85AEEBBF5EF09310F14456AEA59E7391D730A941CBA5
                                                  Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                    • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                    • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnumInfoOpenQuerysend
                                                  • String ID: TUFTUF$>G$DG$DG
                                                  • API String ID: 3114080316-344394840
                                                  • Opcode ID: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                  • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                  • Opcode Fuzzy Hash: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                  • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                  Function 047BE90A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047CB3C2: GetCurrentProcess.KERNEL32(00000003,?,?,047CA6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 047CB3D3
                                                    • Part of subcall function 047CB3C2: IsWow64Process.KERNEL32(00000000,?,?,047CA6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 047CB3DA
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 047BE928
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 047BE94C
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 047BE95B
                                                  • CloseHandle.KERNEL32(00000000), ref: 047BEB12
                                                    • Part of subcall function 047CB3EE: OpenProcess.KERNEL32(00000400,00000000), ref: 047CB403
                                                    • Part of subcall function 047CB3EE: IsWow64Process.KERNEL32(00000000,?), ref: 047CB40E
                                                    • Part of subcall function 047CB5E4: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 047CB5FC
                                                    • Part of subcall function 047CB5E4: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 047CB60F
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 047BEB03
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                  • String ID: PgF
                                                  • API String ID: 2180151492-654241383
                                                  • Opcode ID: 4103c74ef064f91666f8864adad10e095dbae6404165e6ea80ccaa02d20916fc
                                                  • Instruction ID: 7bf8997f60e1cc2d41313ee8d52b4e5176511fae79a0313a20204f0b8eaf1243
                                                  • Opcode Fuzzy Hash: 4103c74ef064f91666f8864adad10e095dbae6404165e6ea80ccaa02d20916fc
                                                  • Instruction Fuzzy Hash: 994125312092449BE325F764DC68FEFB3A5AF94305F50456DE5CA82391EF30BA09C796
                                                  Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                  • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                  • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 1170836740-1018135373
                                                  • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                  • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                  • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                  • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                  Function 047B1CF5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strftime.LIBCMT ref: 047B1D3A
                                                    • Part of subcall function 047B1E4F: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 047B1EBB
                                                  • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 047B1DEC
                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 047B1E2A
                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 047B1E39
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                  • String ID: `=G$x=G
                                                  • API String ID: 3809562944-3004145341
                                                  • Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                  • Instruction ID: c0528057efc0144d7358f10d4d95b447ba30b1219040c4b4d483f44efbd4a0ae
                                                  • Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                  • Instruction Fuzzy Hash: 63315C315067409BE324FF24EC5DBEA77A8FB84304F404879E599822B1EF70B949CB96
                                                  Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                    • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                    • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                  • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                  • API String ID: 1133728706-4073444585
                                                  • Opcode ID: f18917443f7c6820299f50b24860e0ced39b7309a667dc30009aa6e24bb425c3
                                                  • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                  • Opcode Fuzzy Hash: f18917443f7c6820299f50b24860e0ced39b7309a667dc30009aa6e24bb425c3
                                                  • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                  Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea597bf0103f8064372babe710bd6f9b96b6cf9b0e79f2e52e8b6b4ac91cd7ad
                                                  • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                  • Opcode Fuzzy Hash: ea597bf0103f8064372babe710bd6f9b96b6cf9b0e79f2e52e8b6b4ac91cd7ad
                                                  • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                  Function 04805B6A Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73f4216d9227424834ab683a62f21571e8b2afaadca920fe74bb7b8a40116277
                                                  • Instruction ID: b54f12e005ba41de87b678b393141c88e79948f24cf598e78ffab45251408d70
                                                  • Opcode Fuzzy Hash: 73f4216d9227424834ab683a62f21571e8b2afaadca920fe74bb7b8a40116277
                                                  • Instruction Fuzzy Hash: 9E11D531518219BFEB206F75DC4896B7BADEB85725B104A69F811D7380EA30E8019AB0
                                                  Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                  • int.LIBCPMT ref: 0040FC0F
                                                    • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                    • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                  • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                  • String ID: P[G
                                                  • API String ID: 2536120697-571123470
                                                  • Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                  • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                  • Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                  • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                  Function 047BFE56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 047BFE63
                                                  • int.LIBCPMT ref: 047BFE76
                                                    • Part of subcall function 047BD147: std::_Lockit::_Lockit.LIBCPMT ref: 047BD158
                                                    • Part of subcall function 047BD147: std::_Lockit::~_Lockit.LIBCPMT ref: 047BD172
                                                  • std::_Facet_Register.LIBCPMT ref: 047BFEB2
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 047BFED8
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 047BFEF4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                  • String ID: P[G
                                                  • API String ID: 2536120697-571123470
                                                  • Opcode ID: 66d1d2f93b0a437ba6194d5bb56da3cbca8cefc802f69fb3ca8fff7099274c15
                                                  • Instruction ID: fbf3ade4d7f399efb5a662b878f93a92beae8aee795eddb7bbb752a4dcd302a3
                                                  • Opcode Fuzzy Hash: 66d1d2f93b0a437ba6194d5bb56da3cbca8cefc802f69fb3ca8fff7099274c15
                                                  • Instruction Fuzzy Hash: 1B11E131A00518EBDB14FBA4DD48AEEB7689F44768B200169E805A7380EB74BF41C7D4
                                                  Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                  Strings
                                                  • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                  • String ID: http://geoplugin.net/json.gp
                                                  • API String ID: 3121278467-91888290
                                                  • Opcode ID: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                  • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                  • Opcode Fuzzy Hash: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                  • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                  Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                  • _free.LIBCMT ref: 0044FD29
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 0044FD34
                                                  • _free.LIBCMT ref: 0044FD3F
                                                  • _free.LIBCMT ref: 0044FD93
                                                  • _free.LIBCMT ref: 0044FD9E
                                                  • _free.LIBCMT ref: 0044FDA9
                                                  • _free.LIBCMT ref: 0044FDB4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 0740df1463c1c3d913cd678bd38e9833ce2f93aa228aad24694607a7deaf0fd3
                                                  • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                  • Opcode Fuzzy Hash: 0740df1463c1c3d913cd678bd38e9833ce2f93aa228aad24694607a7deaf0fd3
                                                  • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                  Function 047FFF42 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047FFC89: _free.LIBCMT ref: 047FFCB2
                                                  • _free.LIBCMT ref: 047FFF90
                                                    • Part of subcall function 047F6D2C: HeapFree.KERNEL32(00000000,00000000,?,047FFCB7,?,00000000,?,00000000,?,047FFF5B,?,00000007,?,?,0480046C,?), ref: 047F6D42
                                                    • Part of subcall function 047F6D2C: GetLastError.KERNEL32(?,?,047FFCB7,?,00000000,?,00000000,?,047FFF5B,?,00000007,?,?,0480046C,?,?), ref: 047F6D54
                                                  • _free.LIBCMT ref: 047FFF9B
                                                  • _free.LIBCMT ref: 047FFFA6
                                                  • _free.LIBCMT ref: 047FFFFA
                                                  • _free.LIBCMT ref: 04800005
                                                  • _free.LIBCMT ref: 04800010
                                                  • _free.LIBCMT ref: 0480001B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                  • Instruction ID: 48984d2c6486bb91b20d3592534ed395f5c0606b7aafd4c5f0f5ec6f5a1a1147
                                                  • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                  • Instruction Fuzzy Hash: E4118131540B18BAE920BBB0CC09FCB7BADAF08B45F400816E799A6751EA76B909C650
                                                  Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\advancePayment-pdf.exe), ref: 00406835
                                                    • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                    • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                  • CoUninitialize.OLE32 ref: 0040688E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                  • String ID: C:\Users\user\Desktop\advancePayment-pdf.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                  • API String ID: 3851391207-587609780
                                                  • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                  • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                  • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                  • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                  Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                  • int.LIBCPMT ref: 0040FEF2
                                                    • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                    • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                  • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                  • String ID: H]G
                                                  • API String ID: 2536120697-1717957184
                                                  • Opcode ID: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                  • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                  • Opcode Fuzzy Hash: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                  • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                  Function 047C0139 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 047C0146
                                                  • int.LIBCPMT ref: 047C0159
                                                    • Part of subcall function 047BD147: std::_Lockit::_Lockit.LIBCPMT ref: 047BD158
                                                    • Part of subcall function 047BD147: std::_Lockit::~_Lockit.LIBCPMT ref: 047BD172
                                                  • std::_Facet_Register.LIBCPMT ref: 047C0195
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 047C01BB
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 047C01D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                  • String ID: H]G
                                                  • API String ID: 2536120697-1717957184
                                                  • Opcode ID: 0a2989e8c640b6c3179e3035855110f6a7cb0f7e06d84751caa425ed32edbe19
                                                  • Instruction ID: 74a47e1971bc6e7ffc0b3aa4e151e9406091f16310642987cb6e4918a18eb0bf
                                                  • Opcode Fuzzy Hash: 0a2989e8c640b6c3179e3035855110f6a7cb0f7e06d84751caa425ed32edbe19
                                                  • Instruction Fuzzy Hash: 84115A31900558EBDB19FBE4C9489EEB7789F44758B20015DE8056B390EB34BF46CBD5
                                                  Function 047B69CB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 047B69EF
                                                  • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 047B6A50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object_wcslen
                                                  • String ID: $$[+] CoGetObject SUCCESS$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                  • API String ID: 240030777-4254711192
                                                  • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                  • Instruction ID: 264f8cf067494ad20de2d92134424c884585bffd00f5100ac59e905737656eb5
                                                  • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                  • Instruction Fuzzy Hash: 07116971910118ABE710EBA4DC58BDEB7BCDB48714F50406AEA05E7240F774AE5486BA
                                                  Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                  • GetLastError.KERNEL32 ref: 0040B2EE
                                                  Strings
                                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                  • [Chrome Cookies not found], xrefs: 0040B308
                                                  • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                  • UserProfile, xrefs: 0040B2B4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                  • API String ID: 2018770650-304995407
                                                  • Opcode ID: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                  • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                  • Opcode Fuzzy Hash: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                  • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                  Function 047CCBD6 Relevance: 10.5, APIs: 7, Instructions: 47windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 047CCBEF
                                                    • Part of subcall function 047CCC86: RegisterClassExA.USER32(00000030), ref: 047CCCD3
                                                    • Part of subcall function 047CCC86: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 047CCCEE
                                                    • Part of subcall function 047CCC86: GetLastError.KERNEL32 ref: 047CCCF8
                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 047CCC26
                                                  • lstrcpyn.KERNEL32(00473B68,0046C104,00000080), ref: 047CCC40
                                                  • Shell_NotifyIcon.SHELL32(00000000,00473B50), ref: 047CCC56
                                                  • TranslateMessage.USER32(?), ref: 047CCC62
                                                  • DispatchMessageA.USER32(?), ref: 047CCC6C
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 047CCC79
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                  • String ID:
                                                  • API String ID: 1970332568-0
                                                  • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                  • Instruction ID: f34ed00f3d142f428f00acc44df26862b81ca219964f9f203fa3a12b9d2d229e
                                                  • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                  • Instruction Fuzzy Hash: 1B0144B1904344ABD7109FA5EC4CEDB7BBCA745B16F004039F609E3162D7B8E249EB68
                                                  Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: C:\Users\user\Desktop\advancePayment-pdf.exe$Rmc-I7G983$BG
                                                  • API String ID: 0-4032582840
                                                  • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                  • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                  • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                  • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                  Function 047B6737 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: C:\Users\user\Desktop\advancePayment-pdf.exe$Rmc-I7G983$BG
                                                  • API String ID: 0-4032582840
                                                  • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                  • Instruction ID: 7d131b01f7ea7de93591a17b3fb5ba15f75966e2e1b6dd1a47c7b24a76aa8134
                                                  • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                  • Instruction Fuzzy Hash: 4AF0BB71B513109BDB203F346D1C7FB3665E780796F104475F689D6361EF64A84186CE
                                                  Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __allrem.LIBCMT ref: 00439789
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                  • __allrem.LIBCMT ref: 004397BC
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                  • __allrem.LIBCMT ref: 004397F1
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1992179935-0
                                                  • Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                  • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                  • Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                  • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                  Function 047E9863 Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __allrem.LIBCMT ref: 047E99F0
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 047E9A0C
                                                  • __allrem.LIBCMT ref: 047E9A23
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 047E9A41
                                                  • __allrem.LIBCMT ref: 047E9A58
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 047E9A76
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1992179935-0
                                                  • Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                  • Instruction ID: e02461d692b98ba80185fb852fabd4b9f1cc92d2dc83c3285b9b8d2175373b1a
                                                  • Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                  • Instruction Fuzzy Hash: 1B81FAF3600706ABE7249E6ECC45B7A73A9AF48328F144729E611D7780E770F901DB51
                                                  Function 047F2D3F Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 047F2DCF
                                                  • _free.LIBCMT ref: 047F2DE9
                                                  • _free.LIBCMT ref: 047F2DF4
                                                  • _free.LIBCMT ref: 047F2EC8
                                                  • _free.LIBCMT ref: 047F2EE4
                                                    • Part of subcall function 047EAABB: IsProcessorFeaturePresent.KERNEL32(00000017,047EAA8D,?,?,047B1BC9,?,?,00000000,?,?,047EAAAD,00000000,00000000,00000000,00000000,00000000), ref: 047EAABD
                                                    • Part of subcall function 047EAABB: GetCurrentProcess.KERNEL32(C0000417), ref: 047EAADF
                                                    • Part of subcall function 047EAABB: TerminateProcess.KERNEL32(00000000), ref: 047EAAE6
                                                  • _free.LIBCMT ref: 047F2EEE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$Process$CurrentFeaturePresentProcessorTerminate
                                                  • String ID:
                                                  • API String ID: 2329545287-0
                                                  • Opcode ID: 4118d0c7a5faff20c3bdd9400e50d9846731c96832acf5071bf3a173b9413d13
                                                  • Instruction ID: 94e1735a0f07e842b0be1daab9c967bd564d9aa0e1175a4feefa92557294c6f5
                                                  • Opcode Fuzzy Hash: 4118d0c7a5faff20c3bdd9400e50d9846731c96832acf5071bf3a173b9413d13
                                                  • Instruction Fuzzy Hash: 1B517F365042156BEF24DF789C496BA7BA9DF45754F2441D9EB049B382EA337D02C350
                                                  Function 047F9BB7 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,047F9E08,00000001,00000001,00000006), ref: 047F9C11
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,?,?,?,047F9E08,00000001,00000001,00000006), ref: 047F9C97
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,00000006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 047F9D91
                                                  • __freea.LIBCMT ref: 047F9D9E
                                                    • Part of subcall function 047F6D66: RtlAllocateHeap.NTDLL(00000000,047E468A,?), ref: 047F6D98
                                                  • __freea.LIBCMT ref: 047F9DA7
                                                  • __freea.LIBCMT ref: 047F9DCC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1414292761-0
                                                  • Opcode ID: a4f5f7d7e0253137201d24c54ea4cf660dd43f3a14d4cde2709bba3cbd133d87
                                                  • Instruction ID: 5c84d6f5c57442a172d514a0711d4fc1a3622e8c0bc15d3331af26d28103de94
                                                  • Opcode Fuzzy Hash: a4f5f7d7e0253137201d24c54ea4cf660dd43f3a14d4cde2709bba3cbd133d87
                                                  • Instruction Fuzzy Hash: 0A51BFF2610216ABEB258F65CC44FAA77A9EF84B54F254628FB04D6380EB35F854C660
                                                  Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __cftoe
                                                  • String ID:
                                                  • API String ID: 4189289331-0
                                                  • Opcode ID: 11a352e0b54b3ab15d9b45a5f55f91f37a15fb8d34ebdf940d2044d7d4d7e9ef
                                                  • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                  • Opcode Fuzzy Hash: 11a352e0b54b3ab15d9b45a5f55f91f37a15fb8d34ebdf940d2044d7d4d7e9ef
                                                  • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                  Function 047F4DA4 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __cftoe
                                                  • String ID:
                                                  • API String ID: 4189289331-0
                                                  • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                  • Instruction ID: 5ad4675124132de5a64b9f4d01740acc2401f03f1814dc8810c3ed100655ff93
                                                  • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                  • Instruction Fuzzy Hash: 95510732900205FBEB249F798D48EBF77F9EF99724F144219FA1996381EB31F9009664
                                                  Function 047F51A4 Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$Info
                                                  • String ID:
                                                  • API String ID: 2509303402-0
                                                  • Opcode ID: 15c1efeab650589001bcb3423f25e61575b515edc70c88f8593ca702e347ec5e
                                                  • Instruction ID: 25072a868db2fb9c04d3f43a66f54b8791843f87424dcc006c8984df7ea4450e
                                                  • Opcode Fuzzy Hash: 15c1efeab650589001bcb3423f25e61575b515edc70c88f8593ca702e347ec5e
                                                  • Instruction Fuzzy Hash: E6513FB0900305AEEB209FA5CC85BEEBAF9FF48704F44442EE699B6341D775A8458B61
                                                  Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __freea$__alloca_probe_16
                                                  • String ID: a/p$am/pm
                                                  • API String ID: 3509577899-3206640213
                                                  • Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                  • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                  • Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                  • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                  Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                    • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prologSleep
                                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                  • API String ID: 3469354165-462540288
                                                  • Opcode ID: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                                  • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                  • Opcode Fuzzy Hash: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                                  • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                  Function 047B404E Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000), ref: 047B40F1
                                                    • Part of subcall function 047B4234: __EH_prolog.LIBCMT ref: 047B4239
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prologSleep
                                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                  • API String ID: 3469354165-462540288
                                                  • Opcode ID: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                                  • Instruction ID: 669505459a183309bd93a2eb2da303101c00ea02bbcbea6c504a78ffcb7a86f9
                                                  • Opcode Fuzzy Hash: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                                  • Instruction Fuzzy Hash: 9F41E430B052409BEB14FB78D91C7ED37A1AB45284F004568E889877E6EF30BA45D7CA
                                                  Function 047B6E50 Relevance: 9.1, APIs: 6, Instructions: 97fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 047B6E9F
                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0), ref: 047B6EE7
                                                    • Part of subcall function 047B46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 047B4764
                                                  • CloseHandle.KERNEL32(00000000), ref: 047B6F27
                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 047B6F44
                                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008), ref: 047B6F6F
                                                  • DeleteFileW.KERNEL32(00000000), ref: 047B6F7F
                                                    • Part of subcall function 047B47C2: WaitForSingleObject.KERNEL32(?,000000FF,?,?,047B4875,00000000,?,?), ref: 047B47D1
                                                    • Part of subcall function 047B47C2: SetEvent.KERNEL32(?,?,?,047B4875,00000000,?,?), ref: 047B47EF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                  • String ID:
                                                  • API String ID: 1303771098-0
                                                  • Opcode ID: 7cdf14121b30b943d831dc041884720089c76492bcd48607f22f732c73577ab1
                                                  • Instruction ID: 8673d2b5fd9baa36bd679176dd42ce2528a0706639ae9dfc2aa460bd4399783e
                                                  • Opcode Fuzzy Hash: 7cdf14121b30b943d831dc041884720089c76492bcd48607f22f732c73577ab1
                                                  • Instruction Fuzzy Hash: 0D3181715093059FD210EF20DD88EEFB7A8FB94615F004E69F9C592251DB70AA48CB96
                                                  Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                  • String ID:
                                                  • API String ID: 493672254-0
                                                  • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                  • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                  • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                  • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                  Function 047C9EEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 047C9EFB
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 047C9F12
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 047C9F1F
                                                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 047C9F2E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseControlHandleManager
                                                  • String ID:
                                                  • API String ID: 1243734080-0
                                                  • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                  • Instruction ID: fb74c4a89a0a9f5e5aeeda09aea61e64610367b1c14d4257743f13f3bfddda07
                                                  • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                  • Instruction Fuzzy Hash: DB11E9B2645218AFD7116B64EC88EFF3BBCDB45BA2B000079F602D21D1DB60DC06DAB0
                                                  Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                  • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                  • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                  • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                  • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                  Function 047E806D Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,047E8064,047E7A18), ref: 047E807B
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 047E8089
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 047E80A2
                                                  • SetLastError.KERNEL32(00000000,?,047E8064,047E7A18), ref: 047E80F4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                  • Instruction ID: 662f2b14a1aea9e8b20a717816be7b2b9745690cbfac8c87d9546213d0910aa8
                                                  • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                  • Instruction Fuzzy Hash: 4601D8722193515EF7253777BC8C6372644FB09678B21033AF618C63F0EE2268805165
                                                  Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                  • _free.LIBCMT ref: 00446EF6
                                                  • _free.LIBCMT ref: 00446F1E
                                                  • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                  • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                  • _abort.LIBCMT ref: 00446F3D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$_abort
                                                  • String ID:
                                                  • API String ID: 3160817290-0
                                                  • Opcode ID: 3124ee328e5e47741dd31a086b6b2367838b2c65d7fa1c46dd322feed94510e6
                                                  • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                  • Opcode Fuzzy Hash: 3124ee328e5e47741dd31a086b6b2367838b2c65d7fa1c46dd322feed94510e6
                                                  • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                  Function 047F7126 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,047EE4C7,047E9583,047EE4C7,00475B70,?,047EBBBC,FF8BC35D,00475B70,00473EE8), ref: 047F712A
                                                  • _free.LIBCMT ref: 047F715D
                                                  • _free.LIBCMT ref: 047F7185
                                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F7192
                                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 047F719E
                                                  • _abort.LIBCMT ref: 047F71A4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$_abort
                                                  • String ID:
                                                  • API String ID: 3160817290-0
                                                  • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                  • Instruction ID: 3996cafb6037a6c119696e5a9f07dec470bf668f4abb50c193a0c65bbca11648
                                                  • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                  • Instruction Fuzzy Hash: 22F0A43524471066E71A37386C0CE2E267A9BC1AA6F250134F768D6390FF21A8468125
                                                  Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                  • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                  • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                  • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                  Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                  • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                  • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                  • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                  Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                  • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                  • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                  • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                  Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Enum$InfoQueryValue
                                                  • String ID: [regsplt]$DG
                                                  • API String ID: 3554306468-1089238109
                                                  • Opcode ID: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                  • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                  • Opcode Fuzzy Hash: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                  • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                  Function 047BC8D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047C1900: TerminateProcess.KERNEL32(00000000,?,047BC8E4), ref: 047C1910
                                                    • Part of subcall function 047C1900: WaitForSingleObject.KERNEL32(000000FF,?,047BC8E4), ref: 047C1923
                                                    • Part of subcall function 047C28C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 047C28E0
                                                    • Part of subcall function 047C28C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 047C28F9
                                                    • Part of subcall function 047C28C4: RegCloseKey.ADVAPI32(?), ref: 047C2904
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 047BC92E
                                                  • ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000000), ref: 047BCA8D
                                                  • ExitProcess.KERNEL32 ref: 047BCA99
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                  • String ID: @CG$exepath
                                                  • API String ID: 1913171305-1253070338
                                                  • Opcode ID: 7fefd4fcae7e0ef6d55ce9d204f1d3822a483be89a92adb2579d4a357fc0ee6e
                                                  • Instruction ID: 7af12fe0a2119508ebc63aa3c17ca6e2c8ad82f41824023a78a663f4f424f5fe
                                                  • Opcode Fuzzy Hash: 7fefd4fcae7e0ef6d55ce9d204f1d3822a483be89a92adb2579d4a357fc0ee6e
                                                  • Instruction Fuzzy Hash: 094140329011185AEB15FB60DC5CFFE7379AF50608F1045A9E846A23A2EE247E86CBD5
                                                  Function 047C409E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 047C40ED
                                                  • LoadLibraryA.KERNEL32(?), ref: 047C412F
                                                  • LoadLibraryA.KERNEL32(?), ref: 047C418E
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 047C41B6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$AddressDirectoryProcSystem
                                                  • String ID: g<A
                                                  • API String ID: 4217395396-3237022798
                                                  • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                  • Instruction ID: dbdc0e9643ee3c88c95c1ec0eda3514e282e42e529f9686bc5b1394d087be6cb
                                                  • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                  • Instruction Fuzzy Hash: 5131D3B29063256BD720EF24DC48E9B77DCEF44794F044A2DE98493301E774EA408BEA
                                                  Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                    • Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                    • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                  • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                    • Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                    • Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                  • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                  • API String ID: 2974294136-753205382
                                                  • Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                  • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                  • Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                  • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                  Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                  • wsprintfW.USER32 ref: 0040A905
                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EventLocalTimewsprintf
                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                  • API String ID: 1497725170-248792730
                                                  • Opcode ID: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                  • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                  • Opcode Fuzzy Hash: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                  • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                  Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                  • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                  • String ID: `AG
                                                  • API String ID: 1958988193-3058481221
                                                  • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                  • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                  • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                  • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                  Function 047B9FFE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,047BA0D6), ref: 047BA034
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,047BA0D6), ref: 047BA043
                                                  • Sleep.KERNEL32(00002710,?,?,?,047BA0D6), ref: 047BA070
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,047BA0D6), ref: 047BA077
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                  • String ID: `AG
                                                  • API String ID: 1958988193-3058481221
                                                  • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                  • Instruction ID: 83b6f4e27ac911e778132115388c2abadb3385d2fb449f408958590ee5a8be6a
                                                  • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                  • Instruction Fuzzy Hash: 6E110A30304B406AEB31B764988CBBF3B5AEB86315F440D68F1C642792E761B8C4C3E9
                                                  Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                  • GetLastError.KERNEL32 ref: 0041CA91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                  • String ID: 0$MsgWindowClass
                                                  • API String ID: 2877667751-2410386613
                                                  • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                  • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                  • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                  • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                  Function 047CCC86 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegisterClassExA.USER32(00000030), ref: 047CCCD3
                                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 047CCCEE
                                                  • GetLastError.KERNEL32 ref: 047CCCF8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                  • String ID: 0$MsgWindowClass
                                                  • API String ID: 2877667751-2410386613
                                                  • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                  • Instruction ID: 2c4b31534fd40707166d98b4a04d7e8f4045731f1131994f0cf03c46c09a6eca
                                                  • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                  • Instruction Fuzzy Hash: 2A0125B1D1421EAB8B01DFEADCC49EFBBBDBE49355B50452AE400B2200E7709A448BA0
                                                  Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                  • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                  • CloseHandle.KERNEL32(?), ref: 00406A14
                                                  Strings
                                                  • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$CreateProcess
                                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                  • API String ID: 2922976086-4183131282
                                                  • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                  • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                  • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                  • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                  Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                  • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                  • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                  • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                  Function 047C29DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 047C29E6
                                                  • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,047BE832,pth_unenc,004742E0), ref: 047C2A14
                                                  • RegCloseKey.ADVAPI32(?,?,047BE832,pth_unenc,004742E0), ref: 047C2A1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: pth_unenc$BG
                                                  • API String ID: 1818849710-2233081382
                                                  • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                  • Instruction ID: f0d82afd28fd8d89fee3885f9528006d05b6f61c1b710d58cd3f55f97b112918
                                                  • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                  • Instruction Fuzzy Hash: 16F09671541218BBDF119FA0ED59FEE376CEF00744F0045A4F902A6162E631EB04DB50
                                                  Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,0040483F,00000001,?,?,00000000,00475B70,004017F3), ref: 00404AED
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404AF9
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404B04
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404B0D
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                  • String ID: KeepAlive | Disabled
                                                  • API String ID: 2993684571-305739064
                                                  • Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                  • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                  • Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                  • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                  Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                  • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                  • Sleep.KERNEL32(00002710), ref: 00419F79
                                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                                  • String ID: Alarm triggered
                                                  • API String ID: 614609389-2816303416
                                                  • Opcode ID: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                  • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                  • Opcode Fuzzy Hash: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                  • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                  Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                  Strings
                                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                  • API String ID: 3024135584-2418719853
                                                  • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                  • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                  • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                  • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                  Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                  • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                  • Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                  • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                  Function 047F03D1 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e2c0e9d55fcd13551ec2678028d06ddb1c515a5452d77a18986bab3fa9fe77ab
                                                  • Instruction ID: 450547d31a6a8b218b69bb2ae903245788f1006e27132ee2b21b930921a9a882
                                                  • Opcode Fuzzy Hash: e2c0e9d55fcd13551ec2678028d06ddb1c515a5452d77a18986bab3fa9fe77ab
                                                  • Instruction Fuzzy Hash: 2A71A231A05296DFDF218FA5CC44ABEBB75EF42360F144229EA51B7382D7B0B941C7A1
                                                  Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                  • RtlAllocateHeap.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                  • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$Heap$AllocateInfoNativeProcessSystem
                                                  • String ID:
                                                  • API String ID: 4001361727-0
                                                  • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                  • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                  • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                  • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                  Function 047F41E2 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3033488037-0
                                                  • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                  • Instruction ID: 7d4397af066835471aa914286e71c303bc901f0af0eb64d962967c42e88066db
                                                  • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                  • Instruction Fuzzy Hash: 15519032A00608AFDB20DF69DC41A6B77F5EF68724F140669EA09DB350E731F901CB80
                                                  Function 047F8276 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 047F82E0
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 047F8358
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 047F8385
                                                  • _free.LIBCMT ref: 047F82CE
                                                    • Part of subcall function 047F6D2C: HeapFree.KERNEL32(00000000,00000000,?,047FFCB7,?,00000000,?,00000000,?,047FFF5B,?,00000007,?,?,0480046C,?), ref: 047F6D42
                                                    • Part of subcall function 047F6D2C: GetLastError.KERNEL32(?,?,047FFCB7,?,00000000,?,00000000,?,047FFF5B,?,00000007,?,?,0480046C,?,?), ref: 047F6D54
                                                  • _free.LIBCMT ref: 047F849A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                  • String ID:
                                                  • API String ID: 1286116820-0
                                                  • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                  • Instruction ID: be35d660a02ba4e9a064b3c499e0d64f90b9e19235817cc3549985df85f9cfca
                                                  • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                  • Instruction Fuzzy Hash: 78512971900209EBDB24FF69DC849BE77BCEF40360B11026AE618973A0E730B945CB51
                                                  Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                    • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                    • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                    • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 2180151492-0
                                                  • Opcode ID: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                  • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                  • Opcode Fuzzy Hash: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                  • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                  Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: b662eee571422ad0b3875ebd43681a30729376c8d54b4628dcae4612808a046b
                                                  • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                  • Opcode Fuzzy Hash: b662eee571422ad0b3875ebd43681a30729376c8d54b4628dcae4612808a046b
                                                  • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                  Function 047F32FF Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                  • Instruction ID: 92e62aa568097309233ff931159d5ebd0fcdd7ab4b28328cd5b31426b17c7c42
                                                  • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                  • Instruction Fuzzy Hash: D5419136A00214DFDB24DF79CC84A6DB7B6EF88728F1545A9DA15EB391DB31B901CB80
                                                  Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                                  • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                                  • __freea.LIBCMT ref: 0044FFC4
                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                  • String ID:
                                                  • API String ID: 313313983-0
                                                  • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                  • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                  • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                  • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                  Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                  • _free.LIBCMT ref: 0044E1A0
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                  • String ID:
                                                  • API String ID: 336800556-0
                                                  • Opcode ID: dab2c6beb2631548aa4193bc191f7b77b860484e65eb370ccd648b4b240c48da
                                                  • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                  • Opcode Fuzzy Hash: dab2c6beb2631548aa4193bc191f7b77b860484e65eb370ccd648b4b240c48da
                                                  • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                  Function 047FE3A2 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32 ref: 047FE3AB
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 047FE3CE
                                                    • Part of subcall function 047F6D66: RtlAllocateHeap.NTDLL(00000000,047E468A,?), ref: 047F6D98
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 047FE3F4
                                                  • _free.LIBCMT ref: 047FE407
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 047FE416
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                  • String ID:
                                                  • API String ID: 336800556-0
                                                  • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                  • Instruction ID: daaf67d41e34cda30c0feb6f70beb5ff953b2dc21ee17f2b8581636c11c397df
                                                  • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                  • Instruction Fuzzy Hash: 29018F72605B157B27215ABA6C8CC7B7A6DDEC2EB1315013DFF04C3361EA61AC0295F1
                                                  Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,00000000,00000000,0043A7C2,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F48
                                                  • _free.LIBCMT ref: 00446F7D
                                                  • _free.LIBCMT ref: 00446FA4
                                                  • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                                  • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: 68c24d3c485c9ec07c4abd319f206c17a15401c230aa68fe3ac06e04a4fc53bb
                                                  • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                  • Opcode Fuzzy Hash: 68c24d3c485c9ec07c4abd319f206c17a15401c230aa68fe3ac06e04a4fc53bb
                                                  • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                  Function 047F71AA Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,00000000,00000000,047EAA29,00000000,?,?,047EAAAD,00000000,00000000,00000000,00000000,00000000,00000000,047B2E6F,?), ref: 047F71AF
                                                  • _free.LIBCMT ref: 047F71E4
                                                  • _free.LIBCMT ref: 047F720B
                                                  • SetLastError.KERNEL32(00000000), ref: 047F7218
                                                  • SetLastError.KERNEL32(00000000), ref: 047F7221
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                  • Instruction ID: 39f97992ee45fa576a492a33f15161a9b3eb04e3a873532774f4dbdd2913eee1
                                                  • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                  • Instruction Fuzzy Hash: 9301F4362047016BE71A3B756C4892F2A7EDBC17B6B250039FB28A2391EF71F8068125
                                                  Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpen$FileImageName
                                                  • String ID:
                                                  • API String ID: 2951400881-0
                                                  • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                  • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                  • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                  • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                  Function 047CB5E4 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 047CB5FC
                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 047CB60F
                                                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 047CB62F
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 047CB63A
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 047CB642
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpen$FileImageName
                                                  • String ID:
                                                  • API String ID: 2951400881-0
                                                  • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                  • Instruction ID: a03489722f3c787047b88253e11c6c73f9176bb6910da574e48ac88d57c61052
                                                  • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                  • Instruction Fuzzy Hash: 1CF0F9716042156BE7116754FC4BF77B26CDB84796F00007DF655E22A1EE70FC814666
                                                  Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 0044F7B5
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 0044F7C7
                                                  • _free.LIBCMT ref: 0044F7D9
                                                  • _free.LIBCMT ref: 0044F7EB
                                                  • _free.LIBCMT ref: 0044F7FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: d89e1ad89c4feda35881f4fed9d05875870b47023789c8c1d9b385efa1ce0434
                                                  • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                  • Opcode Fuzzy Hash: d89e1ad89c4feda35881f4fed9d05875870b47023789c8c1d9b385efa1ce0434
                                                  • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                  Function 047FFA04 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 047FFA1C
                                                    • Part of subcall function 047F6D2C: HeapFree.KERNEL32(00000000,00000000,?,047FFCB7,?,00000000,?,00000000,?,047FFF5B,?,00000007,?,?,0480046C,?), ref: 047F6D42
                                                    • Part of subcall function 047F6D2C: GetLastError.KERNEL32(?,?,047FFCB7,?,00000000,?,00000000,?,047FFF5B,?,00000007,?,?,0480046C,?,?), ref: 047F6D54
                                                  • _free.LIBCMT ref: 047FFA2E
                                                  • _free.LIBCMT ref: 047FFA40
                                                  • _free.LIBCMT ref: 047FFA52
                                                  • _free.LIBCMT ref: 047FFA64
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                  • Instruction ID: 44df7fa7b81d02d2d69e5860b349cfcf27e75aad98f0c0e80178d8aed66b6cfe
                                                  • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                  • Instruction Fuzzy Hash: 65F0B232505204EB9A70EB64ECC5C1677FBEA05754794581AF649D7750CF32FCC1C654
                                                  Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00443305
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 00443317
                                                  • _free.LIBCMT ref: 0044332A
                                                  • _free.LIBCMT ref: 0044333B
                                                  • _free.LIBCMT ref: 0044334C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: c3120dcef0787b9cf8f38df2e8b45ee5e9f31c9a7bbf404c2791e375fa6e41c1
                                                  • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                  • Opcode Fuzzy Hash: c3120dcef0787b9cf8f38df2e8b45ee5e9f31c9a7bbf404c2791e375fa6e41c1
                                                  • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                  Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                  • IsWindowVisible.USER32(?), ref: 004167A1
                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessWindow$Open$TextThreadVisible
                                                  • String ID: (FG
                                                  • API String ID: 3142014140-2273637114
                                                  • Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                  • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                  • Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                  • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                  Function 047C69B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 047C69CF
                                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 047C6A01
                                                  • IsWindowVisible.USER32(?), ref: 047C6A08
                                                    • Part of subcall function 047CB5E4: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 047CB5FC
                                                    • Part of subcall function 047CB5E4: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 047CB60F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessWindow$Open$TextThreadVisible
                                                  • String ID: (FG
                                                  • API String ID: 3142014140-2273637114
                                                  • Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                  • Instruction ID: db2798921e62bb9670517e3fd298af93abe65344d07adfef3abe25405b36ae85
                                                  • Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                  • Instruction Fuzzy Hash: 4F71E0311092448AD365FB64D8ACBEF73A4AF94308F50496DE5DA423A5EF307A49CBD2
                                                  Function 047C2C11 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 047C2C84
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 047C2CB3
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 047C2D54
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Enum$InfoQueryValue
                                                  • String ID: DG
                                                  • API String ID: 3554306468-2560412334
                                                  • Opcode ID: bddf4943656ecba2bd9c39908ecfff909f44732c8dc369bfccc853cd4406e952
                                                  • Instruction ID: 78f51aafe440a9257a962c8402ffed962b97feea8317bf94f7f31e1051ca836a
                                                  • Opcode Fuzzy Hash: bddf4943656ecba2bd9c39908ecfff909f44732c8dc369bfccc853cd4406e952
                                                  • Instruction Fuzzy Hash: AD510F72108344AFE310EB64DC58EEBB7ECEF84704F40496DB69592251EB70F649CBA2
                                                  Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strpbrk.LIBCMT ref: 0044D4A8
                                                  • _free.LIBCMT ref: 0044D5C5
                                                    • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,00401962,?,?,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                    • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                                    • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                  • String ID: *?$.
                                                  • API String ID: 2812119850-3972193922
                                                  • Opcode ID: 73040f562b485aa4ba7bae5ba06ef56d6e40d69006e3ef74cfff54337b2ff493
                                                  • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                  • Opcode Fuzzy Hash: 73040f562b485aa4ba7bae5ba06ef56d6e40d69006e3ef74cfff54337b2ff493
                                                  • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                  Function 047FD6C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strpbrk.LIBCMT ref: 047FD70F
                                                  • _free.LIBCMT ref: 047FD82C
                                                    • Part of subcall function 047EAABB: IsProcessorFeaturePresent.KERNEL32(00000017,047EAA8D,?,?,047B1BC9,?,?,00000000,?,?,047EAAAD,00000000,00000000,00000000,00000000,00000000), ref: 047EAABD
                                                    • Part of subcall function 047EAABB: GetCurrentProcess.KERNEL32(C0000417), ref: 047EAADF
                                                    • Part of subcall function 047EAABB: TerminateProcess.KERNEL32(00000000), ref: 047EAAE6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                  • String ID: *?$.
                                                  • API String ID: 2812119850-3972193922
                                                  • Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                  • Instruction ID: aa788f1e47672c3c4cc7c945efe9c65a759907564fbb57c8d1a776c79ac99a3a
                                                  • Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                  • Instruction Fuzzy Hash: AD51A275E00209EFDF24DFA8CC84AADBBF9EF48314F248169D955EB340E675AA01CB50
                                                  Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                    • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                    • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                    • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                  • String ID: XCG$`AG$>G
                                                  • API String ID: 2334542088-2372832151
                                                  • Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                  • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                  • Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                  • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                  Function 047B983D Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardLayoutNameA.USER32(?), ref: 047B9868
                                                    • Part of subcall function 047B4458: socket.WS2_32(00000000,00000001,00000006), ref: 047B4479
                                                    • Part of subcall function 047B44F3: connect.WS2_32(?,00000000,00000000), ref: 047B450C
                                                    • Part of subcall function 047CB911: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,047B98F0,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 047CB926
                                                    • Part of subcall function 047B46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 047B4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                  • String ID: XCG$`AG$>G
                                                  • API String ID: 2334542088-2372832151
                                                  • Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                  • Instruction ID: 24e5351bcff3ad45c80faca17447e64e11b2ebca58697231dac027c20de5d91e
                                                  • Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                  • Instruction Fuzzy Hash: 805153312492445FE369F764D87CBEF7395AF94304F40486DE5CA43391EE30B94ACA92
                                                  Function 047B44F3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • connect.WS2_32(?,00000000,00000000), ref: 047B450C
                                                  • WSAGetLastError.WS2_32(?,?,?,047B1B92), ref: 047B464E
                                                    • Part of subcall function 047CA8ED: GetLocalTime.KERNEL32(00000000), ref: 047CA907
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLocalTimeconnect
                                                  • String ID: Connection Failed: $TLS Handshake... |
                                                  • API String ID: 227477821-1510355367
                                                  • Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                  • Instruction ID: 2d3634d6c6558c6feed9e86d5c9be7d106b57fed5b116cccee87ba5a0a788415
                                                  • Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                  • Instruction Fuzzy Hash: CA415861B10B05BBEB14BBBD8C0EBAD7A65AB41348F40019DD84247793FE51F8148BE7
                                                  Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\advancePayment-pdf.exe,00000104), ref: 00442714
                                                  • _free.LIBCMT ref: 004427DF
                                                  • _free.LIBCMT ref: 004427E9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$FileModuleName
                                                  • String ID: C:\Users\user\Desktop\advancePayment-pdf.exe
                                                  • API String ID: 2506810119-2203547796
                                                  • Opcode ID: c9dc1e12dca1de5c6524ddccaff9d38a23f7cae08c9d1df16dccf21c829d287c
                                                  • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                  • Opcode Fuzzy Hash: c9dc1e12dca1de5c6524ddccaff9d38a23f7cae08c9d1df16dccf21c829d287c
                                                  • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                  Function 047F293B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\advancePayment-pdf.exe,00000104), ref: 047F297B
                                                  • _free.LIBCMT ref: 047F2A46
                                                  • _free.LIBCMT ref: 047F2A50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$FileModuleName
                                                  • String ID: C:\Users\user\Desktop\advancePayment-pdf.exe
                                                  • API String ID: 2506810119-2203547796
                                                  • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                  • Instruction ID: 87576eaaabf7265d8f90a3768c5b593b8c8f84380d586f3c1123204e6d818090
                                                  • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                  • Instruction Fuzzy Hash: 4A31A771A04218AFDB31DF99DC8899EBBFCEB85310F1040A6EA05A7312E771AE41DB50
                                                  Function 047C6863 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,0046559C,0046BA00,00000000,00000000,00000000), ref: 047C68C3
                                                    • Part of subcall function 047CB881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,047B3D5A,00465324), ref: 047CB89A
                                                  • Sleep.KERNEL32(00000064), ref: 047C68EF
                                                  • DeleteFileW.KERNEL32(00000000), ref: 047C6923
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                  • String ID: /t
                                                  • API String ID: 1462127192-3161277685
                                                  • Opcode ID: bb2c0f94cc430c17f8d99c3ea8886f75899e052070629971ff6dc793af8fbd9b
                                                  • Instruction ID: 29f53d91ea4122e0269eacd9ad784468e57a32e36e95be1040f8b64f32790f99
                                                  • Opcode Fuzzy Hash: bb2c0f94cc430c17f8d99c3ea8886f75899e052070629971ff6dc793af8fbd9b
                                                  • Instruction Fuzzy Hash: E93145319011185AEB14FBA0DCADFED7734EF14308F4041A9E54667391EF607A8ACBD5
                                                  Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                    • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                  • String ID: /sort "Visit Time" /stext "$8>G
                                                  • API String ID: 368326130-2663660666
                                                  • Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                  • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                  • Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                  • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                  Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
                                                  • CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
                                                  • CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946
                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread$LocalTimewsprintf
                                                  • String ID: Offline Keylogger Started
                                                  • API String ID: 465354869-4114347211
                                                  • Opcode ID: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                  • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                  • Opcode Fuzzy Hash: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                  • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                  Function 047BAADD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 047BAAEB
                                                  • wsprintfW.USER32 ref: 047BAB6C
                                                    • Part of subcall function 047B9FBF: SetEvent.KERNEL32(00000000,?,00000000,047BAB83,00000000), ref: 047B9FEB
                                                  Strings
                                                  • Offline Keylogger Started, xrefs: 047BAAE4
                                                  • [%04i/%02i/%02i %02i:%02i:%02i , xrefs: 047BAAF4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EventLocalTimewsprintf
                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started
                                                  • API String ID: 1497725170-184404310
                                                  • Opcode ID: d5ceb195e9b1766e7296a956330388e17a452e3f282c8842e463cd6a29e782c0
                                                  • Instruction ID: ac969d8239d06929b73747919c67de617a9cd56d76cbd57f44ee889386809d92
                                                  • Opcode Fuzzy Hash: d5ceb195e9b1766e7296a956330388e17a452e3f282c8842e463cd6a29e782c0
                                                  • Instruction Fuzzy Hash: 7E119672404118AADB18FB54EC58DFE77B8AE48315B00416AF84292291FF787A85D7E4
                                                  Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
                                                  • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
                                                  • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread$LocalTime$wsprintf
                                                  • String ID: Online Keylogger Started
                                                  • API String ID: 112202259-1258561607
                                                  • Opcode ID: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                  • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                  • Opcode Fuzzy Hash: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                  • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                  Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                  • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                  • __dosmaperr.LIBCMT ref: 0044AAFE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseErrorHandleLast__dosmaperr
                                                  • String ID: `@
                                                  • API String ID: 2583163307-951712118
                                                  • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                  • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                  • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                  • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                  Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 00404946
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                  • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$EventLocalThreadTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 2532271599-1507639952
                                                  • Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                  • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                  • Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                  • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                  Function 047B4B7C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 047B4BAD
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 047B4BFB
                                                  • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 047B4C0E
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 047B4BC3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$EventLocalThreadTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 2532271599-1507639952
                                                  • Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                  • Instruction ID: 3a560e80f524b31b8b47be3cf7bce07bd9ba7610a6906b393b8fc067257945d4
                                                  • Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                  • Instruction Fuzzy Hash: 2F110671A042547BDB11BB7A8C0CBDB7FAC9F46354F00406AF44942352DA74E485CBF5
                                                  Function 047CA6CA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047CB3C2: GetCurrentProcess.KERNEL32(00000003,?,?,047CA6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 047CB3D3
                                                    • Part of subcall function 047CB3C2: IsWow64Process.KERNEL32(00000000,?,?,047CA6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 047CB3DA
                                                    • Part of subcall function 047C277A: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 047C279E
                                                    • Part of subcall function 047C277A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 047C27BB
                                                    • Part of subcall function 047C277A: RegCloseKey.ADVAPI32(?), ref: 047C27C6
                                                  • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 047CA740
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                  • String ID: (32 bit)$ (64 bit)$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                  • API String ID: 782494840-214125106
                                                  • Opcode ID: 6ae090941000325c3c897e8fa024b5b50426e295cbf2c4f387652279544f3053
                                                  • Instruction ID: e8de7bdc65741c42b05506add782dfcda6de86e9d900982376072acf3670bba5
                                                  • Opcode Fuzzy Hash: 6ae090941000325c3c897e8fa024b5b50426e295cbf2c4f387652279544f3053
                                                  • Instruction Fuzzy Hash: 0E112950A0020526EB05B3A49C9EFAF366DDB80304F50457DA555D33D2EB64BE4683E6
                                                  Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                  • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                  • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandleObjectSingleWait
                                                  • String ID: Connection Timeout
                                                  • API String ID: 2055531096-499159329
                                                  • Opcode ID: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                  • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                  • Opcode Fuzzy Hash: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                  • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                  Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                    • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                    • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                  • String ID: bad locale name
                                                  • API String ID: 3628047217-1405518554
                                                  • Opcode ID: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                  • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                  • Opcode Fuzzy Hash: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                  • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                  Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                  • RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                  • RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: Control Panel\Desktop
                                                  • API String ID: 1818849710-27424756
                                                  • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                  • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                  • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                  • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                  Function 047C2939 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 047C2948
                                                  • RegSetValueExA.ADVAPI32(004655B0,0046BE08,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,047CBEAD,0046BE08,004655B0,00000001,00473EE8,00000000), ref: 047C2970
                                                  • RegCloseKey.ADVAPI32(004655B0,?,?,047CBEAD,0046BE08,004655B0,00000001,00473EE8,00000000,?,047B7C44,00000001), ref: 047C297B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: Control Panel\Desktop
                                                  • API String ID: 1818849710-27424756
                                                  • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                  • Instruction ID: 8029249c118df2d423a9aea8a064a56991d51ada2c53e9521264a110cc294c48
                                                  • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                  • Instruction Fuzzy Hash: F4F03072541118BBDB019FA0EC59EEE776CEF05655F1081A8BD06A6262EA31EE04DB90
                                                  Function 047B1FF8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: T=G$T=G$wkE
                                                  • API String ID: 3519838083-2195589345
                                                  • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                  • Instruction ID: 1c8a2b3876a74e32fbada62f7978b01a26c0b93945dbf33a78bf3e8d4c5ed404
                                                  • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                  • Instruction Fuzzy Hash: C3F05971B012106BDB14AB24880CBDEB774DF41328F00CAAAA094F73A1CB7C6D00C7E6
                                                  Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                  • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: TUF
                                                  • API String ID: 1818849710-3431404234
                                                  • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                  • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                  • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                  • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                  Function 047C2A3C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 047C2A4A
                                                  • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,047BBBB3,004660E0,00000001,000000AF,00465554), ref: 047C2A65
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,047BBBB3,004660E0,00000001,000000AF,00465554), ref: 047C2A70
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: TUF
                                                  • API String ID: 1818849710-3431404234
                                                  • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                  • Instruction ID: 869c0957f5c6eb3fe5b1bdd3b37d3441bc2bf6bf969d914581e24a74811087e2
                                                  • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                  • Instruction Fuzzy Hash: 2AE03071540204BBDF219FA09C05FDE3BA8EB04B95F004064FA05E6191D271DE04D794
                                                  Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteShell
                                                  • String ID: /C $cmd.exe$open
                                                  • API String ID: 587946157-3896048727
                                                  • Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                  • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                  • Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                  • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                  Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: GetCursorInfo$User32.dll
                                                  • API String ID: 1646373207-2714051624
                                                  • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                  • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                  • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                  • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                  Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetLastInputInfo$User32.dll
                                                  • API String ID: 2574300362-1519888992
                                                  • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                  • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                  • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                  • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                  Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __alldvrm$_strrchr
                                                  • String ID:
                                                  • API String ID: 1036877536-0
                                                  • Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                  • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                  • Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                  • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                  Function 047F8F72 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __alldvrm$_strrchr
                                                  • String ID:
                                                  • API String ID: 1036877536-0
                                                  • Opcode ID: 34a4a8fdb2fbaed24085f9f51e48c21e05a0faa9b4c0d03c29d10533be22c836
                                                  • Instruction ID: 054aacf267036613155f52fe302de50d85284994549cd53897697041388f0c83
                                                  • Opcode Fuzzy Hash: 34a4a8fdb2fbaed24085f9f51e48c21e05a0faa9b4c0d03c29d10533be22c836
                                                  • Instruction Fuzzy Hash: 1EA176F2A00386AFEB21CF68CC80BAEBBE0EF55310F14466DDB859B381D234A941C751
                                                  Function 047CBA8B Relevance: 6.2, APIs: 4, Instructions: 214registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,0046BD30,00000000,00020019,?), ref: 047CBAAD
                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 047CBAF1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnumOpen
                                                  • String ID:
                                                  • API String ID: 3231578192-0
                                                  • Opcode ID: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                  • Instruction ID: 3d2dec4d95e9af185b7895388394909643a3f04a8545111f302f4d3a672984e8
                                                  • Opcode Fuzzy Hash: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                  • Instruction Fuzzy Hash: F58104311092459BE364FB10D858FEFB7E8EF94304F10496EE5C5862A1EF30BA49CB96
                                                  Function 04805C31 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                  • Instruction ID: d3c5009532809a3ea094132a1ffc8c56ed3a3d22ffdb13c9d9ebf80dff7491a8
                                                  • Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                  • Instruction Fuzzy Hash: 74412B31610504BBFB60EB7C8C8C6AE3AA6EF41374F148B26F914D73D0E674B9419A72
                                                  Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                  • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                  • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                  • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                  Function 047F1CE8 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                  • Instruction ID: 1c176c1cd6fb255ef9b7a37a999e3f6e2eaacd524a48b2c54e2ada0565e8de40
                                                  • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                  • Instruction Fuzzy Hash: 1141B972A00704FFE7249F78CC44B6A7BB5EF88714F10866AE251DB781D771B9418790
                                                  Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                  • String ID:
                                                  • API String ID: 3360349984-0
                                                  • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                  • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                  • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                  • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                  Function 047B48EF Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 047B49DF
                                                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 047B49F3
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 047B49FE
                                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 047B4A07
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                  • String ID:
                                                  • API String ID: 3360349984-0
                                                  • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                  • Instruction ID: 52ff897c4e3c170a900b3b3ef53b058a89fea0bfced2f8586c5c2a5f80588d12
                                                  • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                  • Instruction Fuzzy Hash: 3B41B271209345AFD715EB64DC5CEFFB7E9AF84214F00096DB8D682392DA20B9098691
                                                  Function 0480013A Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000006,?,00000000,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?), ref: 04800187
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,00000006,?,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?,?), ref: 04800210
                                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,00000006,00000001,?,?,?,00000002,?), ref: 04800222
                                                  • __freea.LIBCMT ref: 0480022B
                                                    • Part of subcall function 047F6D66: RtlAllocateHeap.NTDLL(00000000,047E468A,?), ref: 047F6D98
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                  • String ID:
                                                  • API String ID: 2652629310-0
                                                  • Opcode ID: d6883ffe4d8719f2de826ec879274d1cc3acae2ccbd5fd9a5eba82e14a7f8a2b
                                                  • Instruction ID: e450624749451fc57b95f4401b07c0bc680b7d8b7881205937d272983598f99c
                                                  • Opcode Fuzzy Hash: d6883ffe4d8719f2de826ec879274d1cc3acae2ccbd5fd9a5eba82e14a7f8a2b
                                                  • Instruction Fuzzy Hash: 4231E272A1020AAFDF258FA5EC44EBE7BA5EF05714F048669FC14D7290E735E950CBA0
                                                  Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                  • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                  • API String ID: 3472027048-1236744412
                                                  • Opcode ID: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                  • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                  • Opcode Fuzzy Hash: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                  • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                  Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                    • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                    • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                  • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQuerySleepValue
                                                  • String ID: @CG$exepath$BG
                                                  • API String ID: 4119054056-3221201242
                                                  • Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                  • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                  • Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                  • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                  Function 047C178B Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047C28C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 047C28E0
                                                    • Part of subcall function 047C28C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 047C28F9
                                                    • Part of subcall function 047C28C4: RegCloseKey.ADVAPI32(?), ref: 047C2904
                                                  • Sleep.KERNEL32(00000BB8), ref: 047C182A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQuerySleepValue
                                                  • String ID: @CG$exepath$BG
                                                  • API String ID: 4119054056-3221201242
                                                  • Opcode ID: 820c01e33afeab3fc0483e6c9ee435281bf1bbf0289cdfb463ea79f6631d800d
                                                  • Instruction ID: 6d7ef3be8e1040c30094267204b67995994c54a1e9f44fd1bfe45b8bb2bf5c22
                                                  • Opcode Fuzzy Hash: 820c01e33afeab3fc0483e6c9ee435281bf1bbf0289cdfb463ea79f6631d800d
                                                  • Instruction Fuzzy Hash: 8321D881B0430417E72476781C0CBBF728D8BC5758F4049BDB95697383EF59B90582E9
                                                  Function 047B50B5 Relevance: 6.1, APIs: 4, Instructions: 79windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 047B50D8
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 047B5188
                                                  • TranslateMessage.USER32(?), ref: 047B5197
                                                  • DispatchMessageA.USER32(?), ref: 047B51A2
                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 047B525A
                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 047B5292
                                                    • Part of subcall function 047B46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 047B4764
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                  • String ID:
                                                  • API String ID: 2956720200-0
                                                  • Opcode ID: 822d3e8355dfe554be3e3a6cb7f23e7c77d447b8df2c12cbc1a70b6fed0e93d0
                                                  • Instruction ID: dc0bf7b146de105ca069c91e9c78976c67abd76704117d7f58bf896ae59436fc
                                                  • Opcode Fuzzy Hash: 822d3e8355dfe554be3e3a6cb7f23e7c77d447b8df2c12cbc1a70b6fed0e93d0
                                                  • Instruction Fuzzy Hash: FF2196715043056BDB14FB74DD4DAEE77A8AB85618F40092CF992832A5EF34E504CB92
                                                  Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SystemTimes$Sleep__aulldiv
                                                  • String ID:
                                                  • API String ID: 188215759-0
                                                  • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                  • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                                  • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                  • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                                  Function 047CABF1 Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SystemTimes$Sleep__aulldiv
                                                  • String ID:
                                                  • API String ID: 188215759-0
                                                  • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                  • Instruction ID: 62a1accc11af8020c1bb0341fcf4c9942f6eca7d90acbe2600d5d1e4b181f0f1
                                                  • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                  • Instruction Fuzzy Hash: C2211D725083459FD304EF68D98499FB7E8EFC8655F044A2EF58593250EA34EA0D8BA3
                                                  Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                    • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                    • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                  • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                  • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$ForegroundLength
                                                  • String ID: [ $ ]
                                                  • API String ID: 3309952895-93608704
                                                  • Opcode ID: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                  • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                  • Opcode Fuzzy Hash: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                  • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                  Function 047CA053 Relevance: 6.1, APIs: 4, Instructions: 66serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 047CA063
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 047CA077
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 047CA084
                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 047CA0B9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$ChangeCloseConfigHandleManager
                                                  • String ID:
                                                  • API String ID: 110783151-0
                                                  • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                  • Instruction ID: c2568807e52ab008198e689543db8c25fd152d13cab4afbef37637e9b8f868a0
                                                  • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                  • Instruction Fuzzy Hash: 4801F9312442187AE6215B35AC4DF7B3E6CDB427F2F000A6DF522922D2EA50ED4191B0
                                                  Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandlePointerWrite
                                                  • String ID:
                                                  • API String ID: 3604237281-0
                                                  • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                  • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                  • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                  • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                  Function 047CB7F6 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,047CB90C,00000000,00000000,?), ref: 047CB835
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,047CB90C,00000000,00000000,?,?,047BA270), ref: 047CB852
                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,047CB90C,00000000,00000000,?,?,047BA270), ref: 047CB866
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,047CB90C,00000000,00000000,?,?,047BA270), ref: 047CB873
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandlePointerWrite
                                                  • String ID:
                                                  • API String ID: 3604237281-0
                                                  • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                  • Instruction ID: 6f94f0a1260003033e1023d57304d58004034d6b615a157dc6596441482c7996
                                                  • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                  • Instruction Fuzzy Hash: 6001C071209214BFEA144E25BC8AE7B73DCEB86379F00063DFA61D22D1D621FC0586B1
                                                  Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 495ad199c85ee0e5402b3187078e7692522af1e9979f23e66cdee1ffc608e876
                                                  • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                  • Opcode Fuzzy Hash: 495ad199c85ee0e5402b3187078e7692522af1e9979f23e66cdee1ffc608e876
                                                  • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                  Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8f0265497c32cd3751203bcf981bf8ac699360725a6261bebb952a6d8f1238fa
                                                  • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                  • Opcode Fuzzy Hash: 8f0265497c32cd3751203bcf981bf8ac699360725a6261bebb952a6d8f1238fa
                                                  • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                  Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                    • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                    • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                  • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                  • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                  • String ID:
                                                  • API String ID: 737400349-0
                                                  • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                  • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                  • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                  • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                  Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                  • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID:
                                                  • API String ID: 3177248105-0
                                                  • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                  • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                  • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                  • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                  Function 047F7477 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,047F741E,?,00000000,00000000,00000000,?,047F774A,00000006,0045D330), ref: 047F74A9
                                                  • GetLastError.KERNEL32(?,047F741E,?,00000000,00000000,00000000,?,047F774A,00000006,0045D330,0045D328,0045D330,00000000,00000364,?,047F71F8), ref: 047F74B5
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,047F741E,?,00000000,00000000,00000000,?,047F774A,00000006,0045D330,0045D328,0045D330,00000000), ref: 047F74C3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID:
                                                  • API String ID: 3177248105-0
                                                  • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                  • Instruction ID: 145c423aefaf03b701d01fc91b8169f7c1116413778689fe4d0ed854c52d57f5
                                                  • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                  • Instruction Fuzzy Hash: 6F014432715326ABC7358B69AC44E667F98AB45BA2B154570FB06D7381D620E801CAE4
                                                  Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B647
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B66C
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00465324), ref: 0041B67A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleReadSize
                                                  • String ID:
                                                  • API String ID: 3919263394-0
                                                  • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                  • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                  • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                  • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                  Function 047CB881 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,047B3D5A,00465324), ref: 047CB89A
                                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,047B3D5A,00465324), ref: 047CB8AE
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,047B3D5A,00465324), ref: 047CB8D3
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,047B3D5A,00465324), ref: 047CB8E1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleReadSize
                                                  • String ID:
                                                  • API String ID: 3919263394-0
                                                  • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                  • Instruction ID: 2c7c788da679b3cfc2024b5a4ad55b34a079f3b2e35725c6b2a9a9b2dce47def
                                                  • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                  • Instruction Fuzzy Hash: 21F0FCB52063047FF2101F20FC89FBF379CDB866A5F00067DF90192281DA655C0591B0
                                                  Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                  • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                  • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                  • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MetricsSystem
                                                  • String ID:
                                                  • API String ID: 4116985748-0
                                                  • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                  • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                  • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                  • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                  Function 047CC117 Relevance: 6.0, APIs: 4, Instructions: 47memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocConsole.KERNEL32 ref: 047CC120
                                                  • GetConsoleWindow.KERNEL32 ref: 047CC126
                                                  • ShowWindow.USER32(00000000,00000000), ref: 047CC139
                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 047CC15E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$Window$AllocOutputShow
                                                  • String ID:
                                                  • API String ID: 4067487056-0
                                                  • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                  • Instruction ID: b9bbcc0f4de444280276e1c84ed8ad54c4f9ceb617eba55fd0f3e9b938b27b0f
                                                  • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                  • Instruction Fuzzy Hash: 5C0167B1980304BFE610FBF19D4EF9D77AC9B14749F500426B748E7392E6A8F5044659
                                                  Function 047C9E87 Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020), ref: 047C9E96
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020), ref: 047C9EAA
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 047C9EB7
                                                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 047C9EC6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseControlHandleManager
                                                  • String ID:
                                                  • API String ID: 1243734080-0
                                                  • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                  • Instruction ID: d39108143b03fbc02a6add30af25b8e67c862a11598a22b060e40e32376052c4
                                                  • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                  • Instruction Fuzzy Hash: 76F0F672500318BBD3117B34AC8CEFF3BACDB44AA1B000439F90592292DB64DD46D6B4
                                                  Function 047C9FEE Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 047C9FFD
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 047CA011
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 047CA01E
                                                  • ControlService.ADVAPI32(00000000,00000003,?), ref: 047CA02D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseControlHandleManager
                                                  • String ID:
                                                  • API String ID: 1243734080-0
                                                  • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                  • Instruction ID: 8f796b771b9f17894986dbcd838daa01e2e50663ec17a96403eaa28fa63a3405
                                                  • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                  • Instruction Fuzzy Hash: 88F0F6325003187BD3216F24EC48FFF3BACDB44AA1F000439FA0592292EB68DD4696B4
                                                  Function 047C9F89 Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 047C9F98
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 047C9FAC
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 047C9FB9
                                                  • ControlService.ADVAPI32(00000000,00000002,?), ref: 047C9FC8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseControlHandleManager
                                                  • String ID:
                                                  • API String ID: 1243734080-0
                                                  • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                  • Instruction ID: 8a5368f22b57aaf6a16f5a96a0a70ecd4d71016f0df06cbfa50a440e84a686c4
                                                  • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                  • Instruction Fuzzy Hash: 5AF0F6725003187BE3116F24AC8DEBF3BACDB44BA1B000039FA0592292DB64DD0696B4
                                                  Function 047C9E2B Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,047C9A81,00000000,00000000), ref: 047C9E34
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,047C9A81,00000000,00000000), ref: 047C9E49
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,047C9A81,00000000,00000000), ref: 047C9E56
                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,047C9A81,00000000,00000000), ref: 047C9E61
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseHandleManagerStart
                                                  • String ID:
                                                  • API String ID: 2553746010-0
                                                  • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                  • Instruction ID: 63cc09ace73a58e3cf2c7505a04b750950ec69d269d06e068413fbf107bfa2d4
                                                  • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                  • Instruction Fuzzy Hash: 78F0E9B2105318BFE2116B30AC8CEFF2AACDF85BA2B00047DF54192291CB64DC06D6B5
                                                  Function 047B4D18 Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,047B4AA6,00000001,?,?,00000000,00475B70,047B1A5A), ref: 047B4D54
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,047B1A5A), ref: 047B4D60
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,047B1A5A), ref: 047B4D6B
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,047B1A5A), ref: 047B4D74
                                                    • Part of subcall function 047CA8ED: GetLocalTime.KERNEL32(00000000), ref: 047CA907
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                  • String ID:
                                                  • API String ID: 2993684571-0
                                                  • Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                  • Instruction ID: 377e1a7682a33bdc40daaeba630f1b5200d20dcfff388b594255514d0ba77b36
                                                  • Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                  • Instruction Fuzzy Hash: 63F0E9755087107FEB1137B49D0EBBA7F98EB02311F0009EEF9C2827B2E924949087A6
                                                  Function 047CC0D6 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 047CC0E0
                                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 047CC0ED
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 047CC0FA
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 047CC10D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                  • String ID:
                                                  • API String ID: 3024135584-0
                                                  • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                  • Instruction ID: 10968207490e96c7d3e2859cc180459b2f95f09405b4bf33c04770ba3267cae8
                                                  • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                  • Instruction Fuzzy Hash: 5CE04F62104348ABD31427F5BC8DDAB3B6CE784617B101535F61290393EA7498448AB5
                                                  Function 047CA8A6 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceA.KERNEL32(0046BC64,0000000A,00000000), ref: 047CA8B7
                                                  • LoadResource.KERNEL32(00000000,?,?,047BE3EA,00000000), ref: 047CA8CB
                                                  • LockResource.KERNEL32(00000000,?,?,047BE3EA,00000000), ref: 047CA8D2
                                                  • SizeofResource.KERNEL32(00000000,?,?,047BE3EA,00000000), ref: 047CA8E1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID:
                                                  • API String ID: 3473537107-0
                                                  • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                  • Instruction ID: e2e57bba23a109f22a42efcc3a38a0d6b96b0f373ace138961ce6cdd244f18ac
                                                  • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                  • Instruction Fuzzy Hash: 43E09A7A604710ABCB211BA5BC8CD477E79E786B63714403AF90592331DA359851DA58
                                                  Function 047EA4B2 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __aulldvrm
                                                  • String ID: +$-
                                                  • API String ID: 1302938615-2137968064
                                                  • Opcode ID: bb05039bd10173984d8ac256ef46a28b781231ebc573ca9b653a1b6ddea24a85
                                                  • Instruction ID: 8cb840882d7dcc01e8bcb6c2d305fbedee0d40ac4ae7e73ff9571b8f813617ab
                                                  • Opcode Fuzzy Hash: bb05039bd10173984d8ac256ef46a28b781231ebc573ca9b653a1b6ddea24a85
                                                  • Instruction Fuzzy Hash: 1391B270D04249EFDF20CF6BC8406FDBBB5EF5A364F14835AE865AB390E234A9458B51
                                                  Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorHandling__start
                                                  • String ID: pow
                                                  • API String ID: 3213639722-2276729525
                                                  • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                  • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                  • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                  • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                  Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CountEventTick
                                                  • String ID: >G
                                                  • API String ID: 180926312-1296849874
                                                  • Opcode ID: 8970c785a5fde0425d3bdd382a7839f198ae3ee3428ffa10454bc42c3a0da609
                                                  • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                  • Opcode Fuzzy Hash: 8970c785a5fde0425d3bdd382a7839f198ae3ee3428ffa10454bc42c3a0da609
                                                  • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                  Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Info
                                                  • String ID: $fD
                                                  • API String ID: 1807457897-3092946448
                                                  • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                  • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                  • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                  • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                  Function 047E7CE7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 047E7D1A
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 047E7DD3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 3480331319-1018135373
                                                  • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                  • Instruction ID: f0e64fd49ab9506e6cd0f174973b169caa6c3901659235e7e8caee04c6ad824b
                                                  • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                  • Instruction Fuzzy Hash: A641F830E00209EBCF18DF6AC844ABEBBB5BF48328F148256D8155B391E731F955CB91
                                                  Function 047E3953 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LG$XG
                                                  • API String ID: 0-1482930923
                                                  • Opcode ID: 66ef9e05317a77fc50b7f8bb6c436893fd1b94a9827f47d0b5a451204cd6ab0b
                                                  • Instruction ID: a4260fffd3343386e6920edc992e93ca036555bde4f5fe0e5ac11932e5447641
                                                  • Opcode Fuzzy Hash: 66ef9e05317a77fc50b7f8bb6c436893fd1b94a9827f47d0b5a451204cd6ab0b
                                                  • Instruction Fuzzy Hash: A231F531E007049ADF20DFAA98447B977A59B45328F10836AED15AB3D0D7B0A6809798
                                                  Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                                    • Part of subcall function 004177A2: 73502440.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                                    • Part of subcall function 00417815: 7351EFB0.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                    • Part of subcall function 004177C5: 73525080.GDIPLUS(?,00417CCC), ref: 004177CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateStream$73502440735173525080
                                                  • String ID: image/jpeg
                                                  • API String ID: 441360555-3785015651
                                                  • Opcode ID: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                                  • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                                  • Opcode Fuzzy Hash: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                                  • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                  Function 047B3C77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 047B3C91
                                                    • Part of subcall function 047CAD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,047B3CA7), ref: 047CADC6
                                                    • Part of subcall function 047C791D: CloseHandle.KERNEL32(047B3D20,?,?,047B3D20,00465324), ref: 047C7933
                                                    • Part of subcall function 047C791D: CloseHandle.KERNEL32($SF,?,?,047B3D20,00465324), ref: 047C793C
                                                    • Part of subcall function 047CB881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,047B3D5A,00465324), ref: 047CB89A
                                                  • Sleep.KERNEL32(000000FA,00465324), ref: 047B3D63
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                  • String ID: 8>G
                                                  • API String ID: 368326130-2084872820
                                                  • Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                  • Instruction ID: 671f09ef32f026c28ba7a0ee121025ba296dffab3349429af68188b394268701
                                                  • Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                  • Instruction Fuzzy Hash: CD317A31A012145BEB19FB74DC5DFED7775AF80308F0004A9E986A7391EE607A8ACBD1
                                                  Function 047C7E43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 047C7E6F
                                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 047C7EBC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateStream
                                                  • String ID: image/jpeg
                                                  • API String ID: 1369699375-3785015651
                                                  • Opcode ID: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                                  • Instruction ID: d88d7002a8e0fc8c243f1d62f7f0836cbba4e2d8460bf584b9239b08c908854f
                                                  • Opcode Fuzzy Hash: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                                  • Instruction Fuzzy Hash: 9F312B75504201AFD311AF64CC88EAFBBE9FF8A704F00495DF98597211DB75AA098BA2
                                                  Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ACP$OCP
                                                  • API String ID: 0-711371036
                                                  • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                  • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                  • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                  • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                  Function 04800B45 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,04800DA0,?,00000050,?,?,?,?,?), ref: 04800C20
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ACP$OCP
                                                  • API String ID: 0-711371036
                                                  • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                  • Instruction ID: 5f2199a44a4c3a601eca7a8ae08cc35e213ab39770ca5127a9c26a691efd82d6
                                                  • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                  • Instruction Fuzzy Hash: 7A212B62B21104A6E7B49E54ED10BA77396EF46B6DF46CE20E909D7280F732F900C360
                                                  Function 047BB0BF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047E3780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 047E378B
                                                    • Part of subcall function 047E3780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 047E37C8
                                                    • Part of subcall function 047E3B0C: __onexit.LIBCMT ref: 047E3B12
                                                  • __Init_thread_footer.LIBCMT ref: 047BB10E
                                                    • Part of subcall function 047E3736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 047E3740
                                                    • Part of subcall function 047E3736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 047E3773
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                  • String ID: ,]G$0]G
                                                  • API String ID: 2974294136-589576501
                                                  • Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                  • Instruction ID: f32b59306943280b2fe7d62a53ff1910fa777b48f49a17563e062cec83128665
                                                  • Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                  • Instruction Fuzzy Hash: 99219131A005089AEB14FBA4D89CFED7335AF44318F50446AD9426B3A1EF24794ACBD4
                                                  Function 047BB951 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047C277A: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 047C279E
                                                    • Part of subcall function 047C277A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 047C27BB
                                                    • Part of subcall function 047C277A: RegCloseKey.ADVAPI32(?), ref: 047C27C6
                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 047BB9D3
                                                  • PathFileExistsA.SHLWAPI(?), ref: 047BB9E0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                  • String ID: TUF
                                                  • API String ID: 1133728706-3431404234
                                                  • Opcode ID: d94b965c273a091329a6f5a73edda4c14bb16021ab9e8e668cdf3b753880c9a9
                                                  • Instruction ID: a6052f78945b5889609e162eca2e1b814ea72f5b2c4bfeee3d7ad713c5f57e5a
                                                  • Opcode Fuzzy Hash: d94b965c273a091329a6f5a73edda4c14bb16021ab9e8e668cdf3b753880c9a9
                                                  • Instruction Fuzzy Hash: 1921A631A4110866DB14F7F4CC9EFEE77746F10708F4005A9998267382FE65B909C7D2
                                                  Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                                    • Part of subcall function 004177A2: 73502440.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                                    • Part of subcall function 00417815: 7351EFB0.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                    • Part of subcall function 004177C5: 73525080.GDIPLUS(?,00417CCC), ref: 004177CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateStream$73502440735173525080
                                                  • String ID: image/png
                                                  • API String ID: 441360555-2966254431
                                                  • Opcode ID: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
                                                  • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                                  • Opcode Fuzzy Hash: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
                                                  • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                                  Function 047C7F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 047C7F5B
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 047C7F80
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateStream
                                                  • String ID: image/png
                                                  • API String ID: 1369699375-2966254431
                                                  • Opcode ID: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
                                                  • Instruction ID: 60e408224cc9c9e476c2038b18c6967d4fd7017955b4abd825175ca62e847ef5
                                                  • Opcode Fuzzy Hash: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
                                                  • Instruction Fuzzy Hash: 8C21C035200211AFC315EF64CC88DAFBBADEF8A755F00095DF54693221DF25AA45CBA2
                                                  Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 481472006-1507639952
                                                  • Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                  • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                  • Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                  • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                  Function 047B4C21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 047B4C58
                                                    • Part of subcall function 047CA8ED: GetLocalTime.KERNEL32(00000000), ref: 047CA907
                                                  • GetLocalTime.KERNEL32(?), ref: 047B4CB5
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 047B4C4C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 481472006-1507639952
                                                  • Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                  • Instruction ID: edf36dc2609e368d64e45468f6bd2744daa7b01adce66b63a6d61290b246ac8e
                                                  • Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                  • Instruction Fuzzy Hash: 99213561A042806FD311F7689C1C7AA7BE457D1309F4405ADE88A03362EB68B58D87EB
                                                  Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: | $%02i:%02i:%02i:%03i
                                                  • API String ID: 481472006-2430845779
                                                  • Opcode ID: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                  • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                  • Opcode Fuzzy Hash: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                  • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                  Function 047B6A7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitializeEx.COMBASE(00000000,00000002), ref: 047B6A9C
                                                    • Part of subcall function 047B69CB: _wcslen.LIBCMT ref: 047B69EF
                                                    • Part of subcall function 047B69CB: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 047B6A50
                                                  • CoUninitialize.COMBASE ref: 047B6AF5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                  • String ID: C:\Users\user\Desktop\advancePayment-pdf.exe
                                                  • API String ID: 3851391207-2203547796
                                                  • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                  • Instruction ID: a814e80daad35846607d1903f6767aad08b83dee1de82ad3c2a0dcc4b9f86bec
                                                  • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                  • Instruction Fuzzy Hash: 080192723057116BE7246B21DC4DFBB7758DF41769F21412EFA8587280EAA1FC1046A3
                                                  Function 047C2855 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 047C2879
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 047C28AF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID: TUF
                                                  • API String ID: 3660427363-3431404234
                                                  • Opcode ID: b09a7c0ab263ba9602d255bab372d31fcc1af682bb43ba0fd7320c28ba140ab5
                                                  • Instruction ID: d6c7f11cbe392281e1d85c9c76b73381b2f7e3ec414c016e0b710bfbf61b1ba2
                                                  • Opcode Fuzzy Hash: b09a7c0ab263ba9602d255bab372d31fcc1af682bb43ba0fd7320c28ba140ab5
                                                  • Instruction Fuzzy Hash: 9A014FB6A00108FFEB149B95DD49EFE7ABDEB48251F10007AF901E2241E6B0AF009660
                                                  Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: alarm.wav$xIG
                                                  • API String ID: 1174141254-4080756945
                                                  • Opcode ID: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                  • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                  • Opcode Fuzzy Hash: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                  • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                  Function 047CA0F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 047CA115
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: TUF$xIG
                                                  • API String ID: 1174141254-2109147017
                                                  • Opcode ID: 2fae138b2d3ec9b0a0b8c660c1a787d1356efb4be69c0d9f0b79cf6aaa7c8617
                                                  • Instruction ID: 365a5414111e2da66d464c36e1c239b0d99717f929d682f685f15b072394c957
                                                  • Opcode Fuzzy Hash: 2fae138b2d3ec9b0a0b8c660c1a787d1356efb4be69c0d9f0b79cf6aaa7c8617
                                                  • Instruction Fuzzy Hash: D501F11030460567EB24F674A81DBEE37518B80789F00846ED8DA873E2EF64BA45C3DB
                                                  Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                  • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                  • String ID: Online Keylogger Stopped
                                                  • API String ID: 1623830855-1496645233
                                                  • Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                  • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                  • Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                  • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                  Function 047BA9CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 047BAADD: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 047BAAEB
                                                    • Part of subcall function 047BAADD: wsprintfW.USER32 ref: 047BAB6C
                                                    • Part of subcall function 047CA8ED: GetLocalTime.KERNEL32(00000000), ref: 047CA907
                                                  • CloseHandle.KERNEL32(?), ref: 047BAA31
                                                  • UnhookWindowsHookEx.USER32 ref: 047BAA44
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                  • String ID: Online Keylogger Stopped
                                                  • API String ID: 1623830855-1496645233
                                                  • Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                  • Instruction ID: 9daca070d533a2e7f44eda26b330539ff4da6a6cc5dc7c2d0e5e94b5a0b5b304
                                                  • Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                  • Instruction Fuzzy Hash: A401F735604204ABEB267B68C90E7FD7BB15B41305F40049DE9C206792EB657485D7F6
                                                  Function 047B194F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • waveInPrepareHeader.WINMM(00473D90,00000020,00475BF4,00475BF4,00000000,00475B70,00473EE8,?,00000000,047B1B7A), ref: 047B19AE
                                                  • waveInAddBuffer.WINMM(00473D90,00000020,?,00000000,047B1B7A), ref: 047B19C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferHeaderPrepare
                                                  • String ID: T=G
                                                  • API String ID: 2315374483-379896819
                                                  • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                  • Instruction ID: 99e6e2857bc28abf1206c88d2caa12bb4c9cc9cfcc51d23a3ebc81cb742aa8eb
                                                  • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                  • Instruction Fuzzy Hash: C601A271302300AFD7109F28EC48FA5BBB5FB49259B014539E509C3761EB31AC50DB98
                                                  Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocaleValid
                                                  • String ID: IsValidLocaleName$j=D
                                                  • API String ID: 1901932003-3128777819
                                                  • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                  • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                  • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                  • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                  Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: T=G$T=G
                                                  • API String ID: 3519838083-3732185208
                                                  • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                  • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                  • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                  • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                  Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                    • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                    • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                    • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                    • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                    • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                    • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                    • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                  • String ID: [AltL]$[AltR]
                                                  • API String ID: 2738857842-2658077756
                                                  • Opcode ID: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                  • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                  • Opcode Fuzzy Hash: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                  • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                  Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00448825
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorFreeHeapLast_free
                                                  • String ID: `@$`@
                                                  • API String ID: 1353095263-20545824
                                                  • Opcode ID: 2326f6fe36e10153050cc4bae1a5375c129034e6fecb0164bc5ce0e28facf2d8
                                                  • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                  • Opcode Fuzzy Hash: 2326f6fe36e10153050cc4bae1a5375c129034e6fecb0164bc5ce0e28facf2d8
                                                  • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                  Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State
                                                  • String ID: [CtrlL]$[CtrlR]
                                                  • API String ID: 1649606143-2446555240
                                                  • Opcode ID: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                  • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                  • Opcode Fuzzy Hash: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                  • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                  Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C33C,00000000,?,00000000), ref: 00412988
                                                  • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00412998
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteOpenValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                  • API String ID: 2654517830-1051519024
                                                  • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                  • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                  • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                  • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                  Function 047C2BE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,047BC5A3,00000000,?,00000000), ref: 047C2BEF
                                                  • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 047C2BFF
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 047C2BED
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteOpenValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                  • API String ID: 2654517830-1051519024
                                                  • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                  • Instruction ID: 20d12b54849d27c48a724ca37ae33387c58d4bc393386fc38f76c3c586dac9c1
                                                  • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                  • Instruction Fuzzy Hash: 68E01278600304BAEF204F61AC06F9B37ACEB40B89F0041A8F501E5192D271E904AA54
                                                  Function 047BC13E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,047BDC11,0000000D,00000033,00000000,00000032,00000000,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 047BC14D
                                                  • GetLastError.KERNEL32 ref: 047BC158
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateErrorLastMutex
                                                  • String ID: Rmc-I7G983
                                                  • API String ID: 1925916568-3173645232
                                                  • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                  • Instruction ID: fc7d249549ef80d6ebd1293d8f49727574ce8f173be21455aa7a9aa620db4c26
                                                  • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                  • Instruction Fuzzy Hash: 0ED012707483019BE7281B747C8D7693554E784703F0044B9B50FC56D1CF6488409A15
                                                  Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                  • GetLastError.KERNEL32 ref: 0043FB02
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2300300543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2300300543.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2300300543.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID:
                                                  • API String ID: 1717984340-0
                                                  • Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                  • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                  • Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                  • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759
                                                  Function 047EFCC5 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,047B1D3F), ref: 047EFD5B
                                                  • GetLastError.KERNEL32 ref: 047EFD69
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 047EFDC4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2302695960.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_47b0000_advancePayment-pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID:
                                                  • API String ID: 1717984340-0
                                                  • Opcode ID: 51d5f03fba1b172d5651f1593246994e43d26d1415dc77cb91aa80c4233d165d
                                                  • Instruction ID: c4f4e7703634edcb7a76f7853d700b2947defba3a9c039b2bd5764aa9d446548
                                                  • Opcode Fuzzy Hash: 51d5f03fba1b172d5651f1593246994e43d26d1415dc77cb91aa80c4233d165d
                                                  • Instruction Fuzzy Hash: F641C631604206BFDB258F66CC48BBA7BA5EF09320F1442ADE9599B791EB30F901C750